mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
3904f165d9
* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny
Backup User registry (HKU)
- Author: Cribbit
- Version: 1.1
- Target: Windows 10 (Creators Update) (Powershell)
- Category: Exfiltration
- Attackmode: HID & STORAGE
Change Log
| Version | Changes |
|---|---|
| 1.0 | Initial release |
| 1.1 | Use Admin Shell (for all keys) |
Description
Uses PowerShell, to run Reg.exe to export the HKU entry to a file on the bunny.
Configuration
RootKeys: [ HKLM | HKCU | HKCR | HKU | HKCC ]
Usesful Reg.exe export parameters:
- /y Force overwriting the existing file without prompt.
- /reg:32 Specifies the key should be accessed using the 32-bit registry view.
- /reg:64 Specifies the key should be accessed using the 64-bit registry view.
Colors
| Status | Color | Description |
|---|---|---|
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISH | Green blink followed by SOLID | Script is finished |