Skip to content

Add Exfiltration Payload: PwnedBy_AWS#241

Open
ech0-c2x wants to merge 5 commits intohak5:masterfrom
ech0-c2x:patch-1
Open

Add Exfiltration Payload: PwnedBy_AWS#241
ech0-c2x wants to merge 5 commits intohak5:masterfrom
ech0-c2x:patch-1

Conversation

@ech0-c2x
Copy link

@ech0-c2x ech0-c2x commented Oct 27, 2024

Educational and penetration testing purposes only. This script is designed to demonstrate that once physical access is gained, a malicious actor can easily enumerate information and credentials, and have that remotely exfiltrated for later review, exploitation, and/or selling. Please use responsibly, and ensure you are only targeting systems that you have explicit permission to test on.

@Kerberooted
Create PwnedBy_AWS
1fa5da8 
Educational and penetration testing purposes only. This script is designed to demonstrate that once physical access is gained, a malicious actor can easily enumerate information and credentials, and have that remotely exfiltrated for later review, exploitation, and/or selling. Please use responsibly, and ensure you are only targeting systems that you have explicit permission to test on.
@Kerberooted
Updated typo in PwnedBy_AWS
ebe93c9
@Kerberooted
Update PwnedBy_AWS
e7961c6
@Kerberooted
Update PwnedBy_AWS
ca80a74 
Syntax correction
@Kerberooted
Update PwnedBy_AWS
70d676d
hak5peaks
hak5peaks requested changes Nov 25, 2025
View reviewed changes
payloads/library/exfiltration/PwnedBy_AWS
Copy link
Member

@hak5peaks hak5peaks Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix your directory structure. Your payload content should be inside of a payload.txt file within a directory with your payload name. For example: payloads/library/exfiltration/PwnedBy_AWS/payload.txt

payloads/library/exfiltration/PwnedBy_AWS
DELAY 1000

REM Set AWS_ACCESS_KEY_ID
STRING $env:AWS_ACCESS_KEY_ID = "YOUR-ACCESS-KEY-HERE"
Copy link
Member

@hak5peaks hak5peaks Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include a DEFINE at the top of your payload for any configurable options. This makes the payload easier to use and change for the end user.

For example:

DEFINE #AWS_ACCESS_KEY_ID YOUR-ACCESS-KEY-HERE
STRINGLN $env:AWS_ACCESS_KEY_ID = "#AWS_ACCESS_KEY_ID"

Please implement this where it applies in your payload.

payloads/library/exfiltration/PwnedBy_AWS
DELAY 1500

REM Verify the AWS CLI is available. If not, exit the script.
STRING if (!(Get-Command aws -ErrorAction SilentlyContinue)) { Write-Output "AWS CLI not found. Exiting."; exit }
Copy link
Member

@hak5peaks hak5peaks Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For instances where you are using STRING and then immediately ENTER you can compress it down into a single line by using STRINGLN this cleans up the payload and makes it more readable.

for example: STRINGLN example will inject the same as

STRING example
ENTER

@hak5peaks hak5peaks added the Pending Requested Changes. Changes were requested and is pending changes before next review. label Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hak5peaks hak5peaks hak5peaks requested changes

Assignees

No one assigned

Labels

Pending Requested Changes. Changes were requested and is pending changes before next review.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ech0-c2x @hak5peaks @Kerberooted