diff --git a/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt b/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt
index 41bfc599..7fb94fce 100644
--- a/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt
+++ b/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt
@@ -8,24 +8,28 @@
 * REM #                                                                                           #
 * REM #############################################################################################
 
+ATTACKMODE HID
+
+* REM VARIABLES
+* REM 1) Set the script name editing $SCRIPT-NAME var, the default name is 'auto-check.sh' but you can change it here since is used the DuckyScript variable $SCRIPT-NAME.
+SCRIPT-NAME='auto-check.sh'
+* REM 2) Here you chould define the script path editing $PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit this DuckyScript variable with the correct path
+PATH-TO-SCRIPT='~/'
+* REM 3) Replacing `here` you must set your sudo password that permit to give the executable permissions to the file
+SUDO-PSWD='here'
 
 QUACK DELAY 3000
 QUACK CTRL-ALT t
 QUACK DELAY 1000
-
-
 QUACK STRING echo 'while true; do
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1)
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING if [ $? -eq 0]; then
 QUACK ENTER
 QUACK DELAY 500
@@ -33,92 +37,68 @@ QUACK DELAY 500
 QUACK STRING    # Attack detected, here you decide what to do in this moment
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING    # 1. Send an email to sec-team
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING 	# 2. Do some other ops
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING 	# ...
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING 	# 3. What do you want to do?
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING    #    Can you reboot the system or you need to do something else before?
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING    #    Do you want to close it?
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING 	# ...
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING 	# The only one way to close the backdoor is reboot the system, so don t change it (?)...
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING    # |-> See the Conseguence section in README
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING    reboot
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING else
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING 	# You are safe :-)
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING fi
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING fi
 QUACK ENTER
 QUACK DELAY 500
-
 QUACK STRING sleep 300 # wait time
 QUACK ENTER
 QUACK DELAY 500
-
-
-* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
-* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
-QUACK STRING done' > #PATH-TO-SCRIPT#SCRIPT-NAME
+QUACK STRING done' > $PATH-TO-SCRIPT$SCRIPT-NAME
 QUACK ENTER
 QUACK DELAY 500
 
 * REM To avoid some bad DELAY I decided to use only one command row
 
-* REM Old script
-* REM STRINGLN sudo chmod +x #SCRIPT-NAME
+QUACK REM Old script
+* REM STRINGLN sudo chmod +x $SCRIPT-NAME
 * REM DELAY 500
-* REM STRINGLN #SUDO-PSWD
+* REM STRINGLN $SUDO-PSWD
 * REM DELAY 3000
-* REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
+* REM STRINGLN sh $PATH-TO-SCRIPT$SCRIPT-NAME $
 * REM STRINGLN exit
 
-* REM Optimized script
-
-* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
-* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
-QUACK STRING sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
+QUACK REM Optimized script
+QUACK STRING sudo chmod +x $SCRIPT-NAME; sh $PATH-TO-SCRIPT$SCRIPT-NAME $; exit
 QUACK ENTER
 QUACK DELAY 500
-
-* REM Here you must set your sudo password that permit to give the executable permissions to the file
-QUACK STRING #SUDO-PSWD
+QUACK STRING $SUDO-PSWD
 QUACK ENTER
diff --git a/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/README.md b/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/README.md
index d7349d50..88be4fcb 100644
--- a/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/README.md
+++ b/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/README.md
@@ -4,7 +4,7 @@ Use this script to set up an automated integrity verification system for your Ci
 
 **Category**: incident-response
 
-![](/assets/1.png)
+![](https://i.ibb.co/GHV3y1g/1.png)
 
 ## Index
 
@@ -31,9 +31,9 @@ In response to this, Cisco has released a basic method for users to assess their
 
 An immediate solution to the problem is to reboot the system, which would close the backdoor. However, this doesn't mitigate the vulnerabilities in the long term, as the machine remains just as susceptible after the reboot and also why the attacker's super user is not removed. This means that rebooting the system is an immediate measure to block the threat but doesn't provide a lasting mitigation of the threat.
 
-The payload.txt file contains DuckyScript code that enables you to create a Shell script that periodically performs the Cisco-suggested verification to determine if the machine has been attacked. The script defines three variables: the script name, the superuser (sudo) password, and the file path. The only variable that must be modified is the sudo password because it varies from user to user. The other two variables can be changed but aren't strictly necessary for the payload's functionality. They represent the desired script name and the default path (the current folder).
+The payload.txt file contains DuckyScript code that enables you to create a Shell script that periodically performs the Cisco-suggested verification to determine if the machine has been attacked. The script defines three variables: the script name, the superuser (sudo) password, and the file path. The only variable that must be modified is the sudo password `SUDO-PSWD` because it varies from user to user. The other two variables can be changed but aren't strictly necessary for the payload's functionality. They represent the desired script name and the default path (the current folder).
 
-To minimize downtime, the Hak5 Detect Ready extension has been used. When the Shell is opened, the payload executes a series of commands that involve writing the contents of a file, allowing the creation of a script on the machine that will be automatically executed by the operating system.
+When the Shell is opened, the payload executes a series of commands that involve writing the contents of a file, allowing the creation of a script on the machine that will be automatically executed by the operating system.
 
 Once the file is created, it's automatically saved at the end of the execution, and the payload proceeds to enable execution permissions using the permissions granted by the sudo+chmod command.
 
@@ -43,11 +43,11 @@ To maintain code readability, I chose to keep a less efficient but more straight
 
 ```
 * REM Old script
-* REM STRINGLN sudo chmod +x #SCRIPT-NAME
+* REM STRINGLN sudo chmod +x $SCRIPT-NAME
 * REM DELAY 500
-* REM STRINGLN #SUDO-PSWD
+* REM STRINGLN $SUDO-PSWD
 * REM DELAY 3000
-* REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
+* REM STRINGLN sh $PATH-TO-SCRIPT$SCRIPT-NAME $
 * REM STRINGLN exit
 ```
 
@@ -57,15 +57,11 @@ In order to optimize this code, I prefer the following version, which eliminates
 
 ```
 * REM Optimized script
-
-* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
-* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
-QUACK STRING sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
+QUACK STRING sudo chmod +x $SCRIPT-NAME; sh $PATH-TO-SCRIPT$SCRIPT-NAME $; exit
 QUACK ENTER
 QUACK DELAY 500
 
-* REM Here you must set your sudo password that permit to give the executable permissions to the file
-QUACK STRING #SUDO-PSWD
+QUACK STRING $SUDO-PSWD
 QUACK ENTER
 ```
 
diff --git a/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/assets/1.png b/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/assets/1.png
deleted file mode 100644
index 14ff8fee..00000000
Binary files a/payloads/library/incident_response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/assets/1.png and /dev/null differ