Description
Generates a new obfuscated payload and installs it for persistence on the target.
Overview
Installs persistence by creating a scheduled task to run a an obfuscated cradle on startup or login using schtasks.exe. This script requires a high integrity process for the System profile.
Dependencies
- None
Operating Systems
- Windows
Pre-Requisites
- High Integrity process for the System Profile
Example Output
[
{
"Persistence": {
"Id": "5a6fa3623aa744bd933f6ba168b0ca13",
"Method": "Scheduled Task",
"Trigger": "OnStartup",
"Build": "92cbf1b0f92642859f28f258226cc1f3",
"Profile": "System",
"Event": "Create",
"Success": true,
"UninstallScript": "$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\r\n$success = $output -like 'success';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"5a6fa3623aa744bd933f6ba168b0ca13\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t Method = \"Scheduled Task\";\r\n\t Profile = \"System\";\r\n\t Trigger = \"OnStartup\";\r\n\t}\r\n}",
"TaskName": "CacheTask",
"EnvironmentVariableName": "GPO_AUX"
}
}
]
Example Uninstall Script
This script generates an uninstall script that removes the persistence mechanism.
$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);
$success = $output -like 'success';
try {
[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');
} catch {
$success = $false;
throw;
}
New-Object PSObject -Property @{
Persistence = New-Object PSObject -Property @{
Id = "5a6fa3623aa744bd933f6ba168b0ca13";
Event = "Delete";
Success = $success;
Method = "Scheduled Task";
Profile = "System";
Trigger = "OnStartup";
}
}