Description
This script achieves persistence by dropping the specified payload in the user or system startup folder.
Overview
The script automates the deployment of a payload to achieve persistence, ensuring it executes during system startup or user login. It supports flexibility in targeting either user-level or system-level persistence and logs detailed information about the operation as well as a variety of payload types.
A file will be dropped into one of the two folders listed below:
- User: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- System: %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup
You can either let the script generate a filename for you, or you can specify a filename.
Parameters
| Parameter | Type | Description |
|---|---|---|
| Profile | string | The type of persistence to drop which can be either user or system. |
| Payload | string | The type of payload to generate. The supported payload options are: csharp_load_module, csharp_powershell_host, csharp_shellcode_inject, csharp_native_aot_inject, ps_script, ps_cradle, and ps_lnk_file. |
| Build | string | The implant configuration to drop. |
| Hidden | bool | If true, the script will mark the file as hidden so that it doesn’t show up in file explorer. |
| Filename | string | The name of the file to create. |
Dependencies
- None
Operating Systems
- Windows
Pre-Requisites
- Administrator privileges (system profile only)
Example Output
[
{
"Persistence": {
"Id": "5a6fa3623aa744bd933f6ba168b0ca13",
"Method": "Scheduled Task",
"Trigger": "OnStartup",
"Build": "92cbf1b0f92642859f28f258226cc1f3",
"Profile": "System",
"Event": "Create",
"Success": true,
"UninstallScript": "$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\r\n$success = $output -like 'success';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"5a6fa3623aa744bd933f6ba168b0ca13\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t Method = \"Scheduled Task\";\r\n\t Profile = \"System\";\r\n\t Trigger = \"OnStartup\";\r\n\t}\r\n}",
"TaskName": "CacheTask",
"EnvironmentVariableName": "GPO_AUX"
}
}
]