Overview

Installs persistence by creating a scheduled task to run a PowerShell cradle on startup as NT AUTHORITY\SYSTEM using schtasks.exe. The cradle is stored in a System environment variable to mitigate detection. The scheduled task is configured to execute the contents of the specified system environment variable. This script requires a high integrity process.

Arguments

Dependencies

• None

Operating Systems

• Windows

Pre-Requisites

• High Integrity process

Example Output

[
  {
    "Persistence": {
      "Id": "5a6fa3623aa744bd933f6ba168b0ca13",
      "Method": "Scheduled Task",
      "Trigger": "OnStartup",
      "Build": "92cbf1b0f92642859f28f258226cc1f3",
      "Profile": "System",
      "Event": "Create",
      "Success": true,
      "UninstallScript": "$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\r\n$success = $output -like 'success';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"5a6fa3623aa744bd933f6ba168b0ca13\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"OnStartup\";\r\n\t}\r\n}",
      "TaskName": "CacheTask",
      "EnvironmentVariableName": "GPO_AUX"
    }
  }
]

Example Uninstall Script

This script generates an uninstall script that removes the persistence mechanism.

$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);
$success = $output -like 'success';
try {
	[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');
} catch {
	$success = $false;
	throw;
}

New-Object PSObject -Property @{
	Persistence = New-Object PSObject -Property @{
		Id = "5a6fa3623aa744bd933f6ba168b0ca13";
		Event = "Delete";
		Success = $success;
	    Method = "Scheduled Task";
	    Profile = "System";
	    Trigger = "OnStartup";
	}
}