Description
Installs persistence by creating a registry key to run an obfuscated payload on startup or user logon.
Overview
Installs persistence by creating a registry key to run an obfuscated payload on startup as the current user or NT AUTHORITY\SYSTEM. This script requires a high integrity process for SYSTEM level persistence.
Arguments
- Name: The name of the registry key entry.
- RunKey: The type of registry key persistence.
- Build: The Specter build identifier.
- Payload: The type of payload to drop.
Dependencies
- None
Operating Systems
- Windows
Pre-Requisites
- High Integrity process for SYSTEM runkeys
Example Output
[
{
"Persistence": {
"ValueName": "BitsBackgroundUpdate",
"Id": "e02cd16a798048629dee1cc6a6eb5f24",
"Profile": "User",
"Method": "Run Key",
"Command": "C:\\Users\\helpdesk\\AppData\\Local\\Temp\\SecureVaultApp\\SecureVaultApp.exe",
"Build": "6650a1c5680b402e8df45433a06c94a8",
"Success": true,
"RegistryKeyPath": "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"Trigger": "OnLogon",
"UninstallScript": "try {\r\n\tRemove-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'BitsBackgroundUpdate' -Force;\r\n $path = 'C:\\Users\\helpdesk\\AppData\\Local\\Temp\\SecureVaultApp\\SecureVaultApp.exe';\r\n if(![System.IO.File]::Exists($path)) {\r\n [System.IO.File]::Delete($path);\r\n }\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"e02cd16a798048629dee1cc6a6eb5f24\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t Method = \"Run Key\";\r\n\t Profile = \"User\";\r\n\t Trigger = \"OnLogon\";\r\n\t}\r\n}",
"Event": "Create"
},
}
]
Example Uninstall Script
This script generates an uninstall script that removes the persistence mechanism.
try {
Remove-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'BitsBackgroundUpdate' -Force;
$path = 'C:\Users\helpdesk\AppData\Local\Temp\SecureVaultApp\SecureVaultApp.exe';
if(![System.IO.File]::Exists($path)) {
[System.IO.File]::Delete($path);
}
$success = $true;
} catch {
$success = $false;
throw;
}
New-Object PSObject -Property @{
Persistence = New-Object PSObject -Property @{
Id = "e02cd16a798048629dee1cc6a6eb5f24";
Event = "Delete";
Success = $success;
Method = "Run Key";
Profile = "User";
Trigger = "OnLogon";
}
}