Persistence via Runkeys and Obfuscated Payload

Description

Installs persistence by creating a registry key to run an obfuscated payload on startup or user logon.

Overview

Installs persistence by creating a registry key to run an obfuscated payload on startup as the current user or NT AUTHORITY\SYSTEM. This script requires a high integrity process for SYSTEM level persistence.

Arguments

  • Name: The name of the registry key entry.
  • RunKey: The type of registry key persistence.
  • Build: The Specter build identifier.
  • Payload: The type of payload to drop.

Dependencies

  • None

Operating Systems

  • Windows

Pre-Requisites

  • High Integrity process for SYSTEM runkeys

Example Output

[
  {
    "Persistence": {
      "ValueName": "BitsBackgroundUpdate",
      "Id": "e02cd16a798048629dee1cc6a6eb5f24",
      "Profile": "User",
      "Method": "Run Key",
      "Command": "C:\\Users\\helpdesk\\AppData\\Local\\Temp\\SecureVaultApp\\SecureVaultApp.exe",
      "Build": "6650a1c5680b402e8df45433a06c94a8",
      "Success": true,
      "RegistryKeyPath": "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
      "Trigger": "OnLogon",
      "UninstallScript": "try {\r\n\tRemove-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'BitsBackgroundUpdate' -Force;\r\n    $path = 'C:\\Users\\helpdesk\\AppData\\Local\\Temp\\SecureVaultApp\\SecureVaultApp.exe';\r\n    if(![System.IO.File]::Exists($path)) {\r\n        [System.IO.File]::Delete($path);\r\n    }\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"e02cd16a798048629dee1cc6a6eb5f24\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Run Key\";\r\n\t    Profile = \"User\";\r\n\t    Trigger = \"OnLogon\";\r\n\t}\r\n}",
      "Event": "Create"
    },
  }
]

Example Uninstall Script

This script generates an uninstall script that removes the persistence mechanism.

	
try {
	Remove-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'BitsBackgroundUpdate' -Force;
    $path = 'C:\Users\helpdesk\AppData\Local\Temp\SecureVaultApp\SecureVaultApp.exe';
    if(![System.IO.File]::Exists($path)) {
        [System.IO.File]::Delete($path);
    }
	$success = $true;
} catch {
	$success = $false;
	throw;
}

New-Object PSObject -Property @{
	Persistence = New-Object PSObject -Property @{
		Id = "e02cd16a798048629dee1cc6a6eb5f24";
		Event = "Delete";
		Success = $success;
	    Method = "Run Key";
	    Profile = "User";
	    Trigger = "OnLogon";
	}
}
Scroll to Top