Pennyw0rth
Working Persistence Module
For now the rrp library has been removed from the module. This is the usage of each of the techniques:
add_user: This methods adds a new user to the admin group
We can also specify some input credentials:
Checking if the credentials are valid:
file_upload:
This is just an upload function for file transfer purposes
malicious_binary
This technique involves copying a binary from a specified path to the user's startup folder.
proof:
registry_run:
This technique involves modifying the registry's Run key. Any executable path listed in the Run key will be executed when a user logs into the machine.
proof:
logon_scripts:
This techinique works by adding to the Logon Registry value the path of a .bat file with some custom commands inside.
proof:
scheduled_task:
creates a scheduled task that starts at every logon:
query the task:
win_logon_userinit:
the module adds to the UserInit value of winlogon the path of the malware:
query the registry:
Thanks for the PR! Having screenshots while reviewing definitely helps a lot :)
