meterpeter persiste client { Schtasks }
This Module allows attackers to Persiste ('run on every StartUp') the meterpeter Client on remote machine by setting a Task that executes the Client with 'xx' minutes of interval, Making the Client Beacons Home from 'xx' to 'xx' minutes Until the Task its manually Stoped|Deleted .. 'This Persistence mechanism its ussefull when the Client faces network connection issues (Remote Client frequently disconnects)'. [url] Scheduled Task - Mitre ATT&CK technique T1053
This Article will also Teachs Attackers how to Manipulate Remote-Host Tasks such as:
retrieve task(s) Name(s), retrieve task(s) verbose information, delete remote task(s)
Remark
- All the Modules Used in this article does not require the Client to be executed with Admin Privs
Article Quick Jump List
- meterpeter - Create Remote Task
- meterpeter - Manipulate Remote Tasks
- meterpeter - Delete Remote Tasks
1º - Start 'meterpeter' to deliver 'Client' to target (Update-KB4524147.zip)
2º - Sellect meterpeter 'PostExploit' Module
3º - Sellect meterpeter 'Persist' Module
4º - Sellect meterpeter 'Schtasks' Module
In this Module attacker needs to Input the full path were the Client its remote stored and the Interval in minutes for the Client Beacons Home (meterpeter Server). This Module will Create a Task that remote executes the Client in an Interval of 'xx' Minutes defined by attacker.
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListTask' Module
3º - Sellect meterpeter 'Inform' Module
In this Module we can Review the 'created' Task (or any other tasks) verbose information.
1º - Sellect meterpeter 'AdvInfo' Module
2º - Sellect meterpeter 'ListTask' Module
3º - Sellect meterpeter 'check' Module
In this Module attacker can retrieve remote 'TaskName', thats going to be needed further ahead.
4º - Sellect meterpeter 'AdvInfo' -> 'ListTask' -> 'Delete' Module
In this Module Attacker needs to Input the 'TaskName' to be remote Deleted.
