diff --git a/payloads/library/Incident_Response/Hidden_Images/payload.txt b/payloads/library/Incident_Response/Hidden_Images/payload.txt new file mode 100644 index 00000000..2af8f84c --- /dev/null +++ b/payloads/library/Incident_Response/Hidden_Images/payload.txt @@ -0,0 +1,12 @@ + + + +LED R B 100 +ATTACKMODE HID STORAGE + + +DUCKY_LANG gb +LED B +RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" +LED G FAST +#Green means good to go diff --git a/payloads/library/Incident_Response/Hidden_Images/readme.md b/payloads/library/Incident_Response/Hidden_Images/readme.md new file mode 100644 index 00000000..4a18ae3c --- /dev/null +++ b/payloads/library/Incident_Response/Hidden_Images/readme.md @@ -0,0 +1,37 @@ + +Author : Paul Murton + +Notes : + +My background is in Computer Forensics and Incident Response. +I am new to Powershell, so it's likely that the script is inefficient, +but it does work. + +A (naive) user may attempt to hide image(picture) files by simply +renaming them to appear to be other filetypes (i.e. Word documents etc). +This payload uses a powershell script to walk the userprofile to look +for image files that have been hidden in this manner. + +It ignores files with image extensions, and checks the file headers +for known image file headers. + +The output is put into a CSV file in the folder \loot\image-files + +The script can be easily modified to search for other filetypes (maybe +mpg movie files etc) + +It should be noted that payload is NOT forensically sound, and if +"proper" forensic tools are available, they should be used. + +Tested on ver 1.3 + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| Purple (blinking)| Attack in progress | +| Green (blinking) | Attack Finished | + + + + diff --git a/payloads/library/Incident_Response/Hidden_Images/run.ps1 b/payloads/library/Incident_Response/Hidden_Images/run.ps1 new file mode 100644 index 00000000..8d59c401 --- /dev/null +++ b/payloads/library/Incident_Response/Hidden_Images/run.ps1 @@ -0,0 +1,80 @@ + +#Get the path and file name that you are using for output +# find connected bashbunny drive: +$VolumeName = "bashbunny" +$computerSystem = Get-CimInstance CIM_ComputerSystem +$backupDrive = $null +get-wmiobject win32_logicaldisk | % { + if ($_.VolumeName -eq $VolumeName) { + $backupDrive = $_.DeviceID + } +} + +#See if a loot folder exist in usb. If not create one +$TARGETDIR = $backupDrive + "\loot" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#See if a info folder exist in loot folder. If not create one +$TARGETDIR = $backupDrive + "\loot\Hidden-Image-Files" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#Create a path that will be used to make the file +$datetime = get-date -f yyyy-MM-dd_HH-mm +$backupPath = $backupDrive + "\loot\Hidden-Image-Files\" + +#Create output from info script +$TARGETDIR = $MyInvocation.MyCommand.Path +$TARGETDIR = $TARGETDIR -replace ".......$" +cd $TARGETDIR + + +$jpgheader = "255 216 255" +$bmpheader = "66 77" +$gifheader = "71 73 70" +$tifheader = "73 73 42" +$pngheader = "137 80 78 71 13 10 26 10" + +$knownimageextensions = ("jpg", "jpeg", "bmp", "gif", "tif", "tiff", "png") + +#walk the files in the user profile +$files = Get-ChildItem $env:USERPROFILE -Recurse -ErrorAction silentlycontinue | select-object -Expand Fullname + + +foreach ($file in $files) +{ + +#get extension without . (dot) +$extension = [System.IO.Path]::GetExtension($file).Replace(".", "") +$extension = $extension.ToLower() + +#Ignore known image extension +if (!$knownimageextensions.contains($extension) -and (Get-Item $file).length -gt 0.1kb) { + +#reset $fileheader +$fileheader = "False" + +#Grab header +$2bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 2 -EA ignore) +$3bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 3 -EA ignore) +$8bytes = [string](Get-Content $file -Encoding Byte -ReadCount 1 -TotalCount 8 -EA ignore) + +If ($8bytes -eq $pngheader) {$fileheader = "png"} +Elseif ($3bytes -eq $jpgheader) {$fileheader = "jpg"} +Elseif ($3bytes -eq $gifheader) {$fileheader = "gif"} +Elseif ($3bytes -eq $tifheader) {$fileheader = "tif"} +Elseif ($2bytes -eq $bmpheader) {$fileheader = "bmp"} + + +if ($fileheader -ne "False") { +[PSCustomObject]@{ + File = $file + Header = $fileheader + } | Export-Csv $backupPath\$datetime.csv -notype -Append +} +} +} + diff --git a/payloads/library/Incident_Response/Link File analysis/payload.txt b/payloads/library/Incident_Response/Link File analysis/payload.txt new file mode 100644 index 00000000..2af8f84c --- /dev/null +++ b/payloads/library/Incident_Response/Link File analysis/payload.txt @@ -0,0 +1,12 @@ + + + +LED R B 100 +ATTACKMODE HID STORAGE + + +DUCKY_LANG gb +LED B +RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" +LED G FAST +#Green means good to go diff --git a/payloads/library/Incident_Response/Link File analysis/readme.md b/payloads/library/Incident_Response/Link File analysis/readme.md new file mode 100644 index 00000000..37e13d86 --- /dev/null +++ b/payloads/library/Incident_Response/Link File analysis/readme.md @@ -0,0 +1,31 @@ + +Author : Paul Murton + +Notes : + +My background is in Computer Forensics and incident response. +I am new to Powershell, so it's likely that the script is inefficient, +but it does work. + +In an incident where a user is suspected of exfiltrating data to a USB +storage device, CD/DVD etc, its possible that the user may subsequently +open an exfiltrated file on the media. In this scenario, a local lnk +file will be created, providing evidence of the files existance. + +This payload uses a powershell script to search the user profle for lnk +files where the target is on a drive other than the C: Drive. + +The output is put into a CSV file in the folder \loot\link-files + +Tested on ver 1.3 + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| Purple (blinking)| Attack in progress | +| Green (blinking) | Attack Finished | + + + + diff --git a/payloads/library/Incident_Response/Link File analysis/run.ps1 b/payloads/library/Incident_Response/Link File analysis/run.ps1 new file mode 100644 index 00000000..f3f9d17b --- /dev/null +++ b/payloads/library/Incident_Response/Link File analysis/run.ps1 @@ -0,0 +1,53 @@ +#Remove run history +powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" + +#Get the path and file name that you are using for output +# find connected bashbunny drive: +$VolumeName = "bashbunny" +$computerSystem = Get-CimInstance CIM_ComputerSystem +$backupDrive = $null +get-wmiobject win32_logicaldisk | % { + if ($_.VolumeName -eq $VolumeName) { + $backupDrive = $_.DeviceID + } +} + +#See if a loot folder exist in usb. If not create one +$TARGETDIR = $backupDrive + "\loot" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#See if a info folder exist in loot folder. If not create one +$TARGETDIR = $backupDrive + "\loot\Link-Files" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#Create a path that will be used to make the file +$datetime = get-date -f yyyy-MM-dd_HH-mm +$backupPath = $backupDrive + "\loot\Link-Files\" + +#Create output from info script +$TARGETDIR = $MyInvocation.MyCommand.Path +$TARGETDIR = $TARGETDIR -replace ".......$" +cd $TARGETDIR + +$files = Get-ChildItem $env:USERPROFILE -Recurse -Filter *.lnk | select-object -Expand Fullname + + +foreach ($file in $files) +{ + +$sh = New-Object -ComObject WScript.Shell +$target = $sh.CreateShortcut($file).TargetPath +$created = (Get-ItemProperty $file).CreationTime +$written = (Get-ItemProperty $file).LastWriteTime + +[PSCustomObject]@{ + Linkfile = $file + Target = $target + File_Created = $created + Last_Written = $written + } | Export-Csv $backupPath\link_files.csv -notype -Append +} diff --git a/payloads/library/recon/Link File analysis/payload.txt b/payloads/library/recon/Link File analysis/payload.txt new file mode 100644 index 00000000..2af8f84c --- /dev/null +++ b/payloads/library/recon/Link File analysis/payload.txt @@ -0,0 +1,12 @@ + + + +LED R B 100 +ATTACKMODE HID STORAGE + + +DUCKY_LANG gb +LED B +RUN WIN powershell -executionpolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\run.ps1')" +LED G FAST +#Green means good to go diff --git a/payloads/library/recon/Link File analysis/readme.md b/payloads/library/recon/Link File analysis/readme.md new file mode 100644 index 00000000..662aa5e6 --- /dev/null +++ b/payloads/library/recon/Link File analysis/readme.md @@ -0,0 +1,28 @@ +Based on a payload written by Simen Kjeserud + +Tested on firmware 1.3 + +Searches the user profile for .lnk files and reports on the file name, +Target file, Date Created, Date Last Written. Results are provided in +a CSV file. + +Output = \loot\Link-Files\link_files.csv + +Background +In an incident where it is suspected that a user has exfiltrated +data to a USB drive, the target element of any .lnk files may show +files on external media (i.e. not the C: drive.). + +Note - using this payload is NOT forensically sound! + + +## STATUS + +| LED | Status | +| ---------------- | ------------------------------------- | +| Purple (blinking)| Attack in progress | +| Green (blinking) | Attack Finished | + + + + diff --git a/payloads/library/recon/Link File analysis/run.ps1 b/payloads/library/recon/Link File analysis/run.ps1 new file mode 100644 index 00000000..f3f9d17b --- /dev/null +++ b/payloads/library/recon/Link File analysis/run.ps1 @@ -0,0 +1,53 @@ +#Remove run history +powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" + +#Get the path and file name that you are using for output +# find connected bashbunny drive: +$VolumeName = "bashbunny" +$computerSystem = Get-CimInstance CIM_ComputerSystem +$backupDrive = $null +get-wmiobject win32_logicaldisk | % { + if ($_.VolumeName -eq $VolumeName) { + $backupDrive = $_.DeviceID + } +} + +#See if a loot folder exist in usb. If not create one +$TARGETDIR = $backupDrive + "\loot" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#See if a info folder exist in loot folder. If not create one +$TARGETDIR = $backupDrive + "\loot\Link-Files" +if(!(Test-Path -Path $TARGETDIR )){ + New-Item -ItemType directory -Path $TARGETDIR +} + +#Create a path that will be used to make the file +$datetime = get-date -f yyyy-MM-dd_HH-mm +$backupPath = $backupDrive + "\loot\Link-Files\" + +#Create output from info script +$TARGETDIR = $MyInvocation.MyCommand.Path +$TARGETDIR = $TARGETDIR -replace ".......$" +cd $TARGETDIR + +$files = Get-ChildItem $env:USERPROFILE -Recurse -Filter *.lnk | select-object -Expand Fullname + + +foreach ($file in $files) +{ + +$sh = New-Object -ComObject WScript.Shell +$target = $sh.CreateShortcut($file).TargetPath +$created = (Get-ItemProperty $file).CreationTime +$written = (Get-ItemProperty $file).LastWriteTime + +[PSCustomObject]@{ + Linkfile = $file + Target = $target + File_Created = $created + Last_Written = $written + } | Export-Csv $backupPath\link_files.csv -notype -Append +}