Update PoSH_Morsecode, Add Windows 10 Login Screen (#430)

* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny * Morse Code File Exfiltration A bit pointless with limitation of morse code but I thought it was fun to create. * Update readme.md * Update for non-alphanumeric * Update for timing * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update payload.txt * New payload - Fake Login Shows a fake version of the windows 10 login screen * Update readme.md * Changes to Fake Login Payload * Changes to Fake Login
2025-10-29 16:58:25 +00:00 · 2021-04-22 16:44:33 +01:00
parent 27d63ad5a5
commit 6375315a33
5 changed files with 466 additions and 4 deletions
--- a/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt
+++ b/payloads/library/poc/WIN_PoSH_MorseCode/payload.txt
@@ -1,7 +1,7 @@
 # Title:        Morse Code File Exfiltration
-# Description:  Reads all txt file and Flashes the Scrolllock on and off to represent morse code  
+# Description:  Reads all txt files in myDocs and Flashes the Scrolllock on and off to represent morse code  
 # Author:       Cribbit
-# Version:      1.0
+# Version:      1.2
 # Category:     PoC
 # Target:       Windows (Powershell 5.1+)
 # Attackmodes:	HID & STORAGE
--- a/payloads/library/poc/WIN_PoSH_MorseCode/readme.md
+++ b/payloads/library/poc/WIN_PoSH_MorseCode/readme.md
@@ -1,6 +1,6 @@
 # Morse Code File Exfiltration
 * Author: Cribbit 
-* Version: 1.0
+* Version: 1.2
 * Target: Windows (Powershell 5.1+)
 * Category: PoC
 * Attackmode: HID & Storage
@@ -13,7 +13,7 @@
 | 1.2     | Update for space timing       |

 ## Description
-Reads all txt file in my documents and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z)
+Reads all txt files in "my documents" and Flashes the Scrolllock on and off to represent Morse code of the engish alphanumeric characters (0..9 A..Z)

 ## Update
 For characters out side the Morse code 0..9 A..Z it now flash one long pulse then the chars ordinal value ie (@ = 64 = -.... ....-)  
@@ -25,6 +25,9 @@ The payload uses a base64 encode version of the payload (b.txt) to get round the

 Please check the encoded payload before execution, to make sure it has not been replaced with something more malicious. 

+If you do not want to use the base64 version you could change the payload to:
+`RUN WIN "powerShell -Noni -NoP -W h -EP Bypass .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\MorseCodeFileExfiltration.ps1')"`
+
 ## Colors
 | Status    | Color                         | Description                                      |
 | --------- | ------------------------------| ------------------------------------------------ |