-
Notifications
You must be signed in to change notification settings - Fork 45
2. Usage
Grimmie edited this page Nov 16, 2022
·
2 revisions
PersistAssist.exe -h
______ __ __ _______ __ __
| __ .-----.----.-----|__.-----| |_| _ .-----.-----|__.-----| |_
| __| -__| _|__ --| |__ --| _| |__ --|__ --| |__ --| _|
|___| |_____|__| |_____|__|_____|____|___|___|_____|_____|__|_____|____|
Author: @Gr1mmie (@FortyNorthSec)
Ver: v0.2
Usage: PersistAssist.exe -t [technique] -<extra options>
Provide the persist technique and what to do with the technique (persist, cleanup, display info)
To list all available persistence techiques, use PersistAssist.exe -l
-t, --technique=VALUE Persistence technique to use
-a, --action=VALUE Action to perform
-s, --search=VALUE Keyword to search for
--rk, --rootkey=VALUE Root key for registry operations
--sk, --subkey=VALUE Sub key for registry operations
--kv, --keyvalue=VALUE Value to assign regirsty key
--rc, --registrycontext=VALUE
Context to write reg key to (options: hkcu or hklm)
--tn, --taskname=VALUE Task name to set for MSBuild operations
--pl, --payload=VALUE Payload to substitute into template
--fp, --filepath=VALUE Path to file/directory to target
--dp, --duplicatepath=VALUE
Path to duplicate file times from, modified all
timestamps
--ts, --timestamp=VALUE
Specify M(odified), A(ccessed), or C(reated)
timestamp. Use ALL to target all timestamps
--nt, --newtime=VALUE Specify a new date to change specified timestamp to
--un, --username=VALUE Specify username for credCheck
--pw, --passwd=VALUE Specify password for credCheck
--efq, --eventFilterQuery=VALUE
EventFilter query for WMI event subscription
--efn, --eventFilterName=VALUE
EventFilter name for WMI event subscription
--ecn, --eventConsumerName=VALUE
EventConsumer name for WMI event subscription
--efv, --eventConsumerValue=VALUE
EventConsumer value for WMI event subscription
-q, --query=VALUE Query to run
--dn, --domain=VALUE Specify current domain
-p, --persist Execute specified techique
-c, --cleanup Clean up specified technique
-l, --list List available techniques
-i, --info Displays information on a specified technique
-h, --help show this message and exit
PersistAssist.exe -l
______ __ __ _______ __ __
| __ .-----.----.-----|__.-----| |_| _ .-----.-----|__.-----| |_
| __| -__| _|__ --| |__ --| _| |__ --|__ --| |__ --| _|
|___| |_____|__| |_____|__|_____|____|___|___|_____|_____|__|_____|____|
Author: @Gr1mmie (@FortyNorthSec)
Ver: v0.2
[*] Available modules:
Persistence:
============
Registry:
GenericRegAdd - Add any arbitrary registry key
RunKeys - Registers a RunKey on either HKLM or HKCU
UserInitMprLogonScript - Deploys UserInitMprLogonScript. Functions the same as a Run Key
MSBuild:
InlineTasks - Deploys MSBuild InlineTask based payload. Drops file to disk
OverrideTask - Deploys MSBuild OverrideTask based persistence. Drops file to disk and requires admin access
AccountOperations:
WMI:
ActiveScript - Create an ActiveScriptEventConsumer based WMI subscription
CommandLine - Create an CommandLineEventConsumer based WMI subscription
Misc:
NotepadPlugin - Backdoors notepad++ by creating a malicious plugin
PSProfile - Backdoors PowerShell profile files
StartupFolder - Drops a shortcut to a startup path
Tradecraft:
===========
SvcList - Lists services on a machine
Creds - Cred operations
FileRead - Reads a file in memory to get around having to download files for reading
ProcList - Lists running processes
RegList - Lists contents of specified registry key
SchList - Lists scheduled tasks on a machine
TimeStomp - Modifies file and directory time stamps. Does not modify Entry timestamp
WMIQuery - Run an arbitrary WMI Query
Payloads:
=========
HelloWorld - hola mundo
PopCalc - Pops calc
PersistAssist.exe -lm [category]
______ __ __ _______ __ __
| __ .-----.----.-----|__.-----| |_| _ .-----.-----|__.-----| |_
| __| -__| _|__ --| |__ --| _| |__ --|__ --| |__ --| _|
|___| |_____|__| |_____|__|_____|____|___|___|_____|_____|__|_____|____|
Author: @Grimmie (@FortyNorthSec)
Ver: v0.2
Tradecraft:
==========
SvcList - Lists services on a machine
Creds - Cred operations
FileRead - Reads a file in memory to get around having to download files for reading
NetList - basically ipconfig
ProcList - Lists running processes
RegList - Lists contents of specified registry key
SchList - Lists scheduled tasks on a machine
TimeStomp - Modifies file and directory time stamps. Does not modify Entry timestamp
WMIQuery - Run an arbitrary WMI Query
Compile - Standalone utility to compile exes based on C# payloads included in the framework
PersistAssist.exe -t [technique] -i
______ __ __ _______ __ __
| __ .-----.----.-----|__.-----| |_| _ .-----.-----|__.-----| |_
| __| -__| _|__ --| |__ --| _| |__ --|__ --| |__ --| _|
|___| |_____|__| |_____|__|_____|____|___|___|_____|_____|__|_____|____|
Author: @Gr1mmie (@FortyNorthSec)
Ver: v0.2
Name: GenericRegAdd
Desc: Add any arbitrary registry key
Usage:
Persist: PersistAssist.exe -t GenericRegAdd -p -rk [rootkey] -sk [subkey] -kv [key value] -rc [hkcu/hklm]
Cleanup: PersistAssist.exe -t GenericRegAdd -c -rk [root key] -sk [sub key] -rc [hkcu/hklm]
Category: Registry
Author:
RequiresAdmin: False