-
Notifications
You must be signed in to change notification settings - Fork 44
/
Copy pathChangeLog
23 lines (15 loc) · 1.18 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
1/10/2013 Update
=======================================
Changed persist methods once again. This time, it never drops anything to disk. Once the macro is ran, you get a shell
and persistence to the machine via a scheduled task, which executes a new payload in memory with Invoke-Shellcode.
This attack completely eliminates touching the filesystem. See ya AV.
1/9/2013 Update
======================================
Changed method of persisting. Instead of dropping a vbs for persistence, which remained on the system, it drops
a powershell script.
This powershell script schedules a task that will download and execute Invoke-Shellcode after the box is idle for 20 minutes.
This means that the only file that touches disk during this attack is the initial persist.ps1, which deletes itself after
creating the task...so after the attack is complete, you have persistence on the system with no artifact on disk.
I also took the x86/x64 check out of the macro. Invoke-Shellcode now automatically checks it for you.
**Thanks Raphael (@armitagehacker) for posting a blogpost about this persistence method.
**Thanks Matt (@mattifestation) for creating Invoke-Shellcode and your persistence modules :-)