Jump to content

Recommended Posts

Posted

[Payload] Ghost Cleanup

https://github.com/bg-wa/bashbunny-payloads/tree/develop/payloads/library/ghost_cleanup

The goal of this payload is to provide a universal (WIn/Mac/Lin) HID script to clean up your tracks after an attack.  The idea is to have this as a switch 2 payload to easily execute after an attack.

Currently, I have code to:

  1. Select OS (Defaults to linux, but can be switched manually or with attack 1, by writing an appropriately named file to the BB loot folder)
  2. Ducky script from E2124 to open cmd/terminal
  3. Clear input history
    1. [mac/linux] Clear all bash history (or optioanlly set how many lines to remove from the end of ~./bash_history)
    2. [Win] use regedit to remove run commands
  4. [Win] Remove extra Ethernet adapters created by BB. (*WIP, looking at different methods)
  5. Comments providing guidance on where to insert your custom cleanup code for each platform

Please feel free for fork and contribute!

**  This script is a Work in Progress, as I'm still waiting on my BashBunny to arrive.

  • Upvote 1
  • 2 weeks later...
Posted

Quick and Dirty Solution for Windows
 

Clean_Win_Reg.cmd

@echo off
setlocal enableextensions enabledelayedexpansion

# Nr of lines deleting from Registry
set len=3
set /a len_pos=%len%-1

# Get the MRUList from Registry and save it to %mru%
for /f "tokens=2*" %%a in ('reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /v MRUList') do set "mru=%%b"
# Count chars
for /f %%c in ('cmd /u /v /q /c"(echo(!mru!)" ^| find /v "" ^| findstr /r /c:"[a-z]" ^| find /c /v ""') do set "str_len=%%c"

# Get the last Nr of defined lines from MRUList
set list=!mru:~0,%len%!
# Set the new MRUList
set original_list=!mru:~%len%,%str_len%!

# Delete old MRUList
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v MRUList /f
# Add new MRUList
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v MRUList /t Reg_Sz /d %original_list%

# Delete the last Nr of lines from Registry
for /l %%d in (0,1,%len_pos%) do (reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /v !list:~%%d,1! /f)

 

 

PS: You have to take the REG DELETE "Path" in double Quotes
 

QUACK STRING reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f

 

Posted

I think I'm going to fork this into a new helper so this logic can be called from any script instead of having to dedicate a switch to it...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...