[Payload for PowerMemory to grab Windows 10 creds?]

17 minutes ago, jermzz said:

So you need two payloads :)

It appears so! I am very new to all of this and not entirely sure how to craft the entire payload to accomplish the following:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

Assuming that is the right command anyway.

[Payload for PowerMemory to grab Windows 10 creds?]

8 minutes ago, jermzz said:

it's not going to work if it needs to run before and after a reboot issuing different key strokes. Especially if it needs to enter an unknown login password

Yeah I guess I should have specified that I would like to primarily add the registry modification into the stealth payload (pulling up the registry and modifying the WDigest "UseLogonCredential" to 1) on the first run, rather than either loading up PowerMemory or modifying the registry manually (allotted time would be minimal). Then wait for the target machine to be rebooted before inserting the RD once more to grab the plain text.

[Payload for PowerMemory to grab Windows 10 creds?]

I purchased the Rubber Ducky recently to grab windows login creds from Windows 10. I was unaware at the time that it wouldn't quite work as solid on 10 as it does with older versions of windows.

After testing on various other versions and having it upload the .creds to my server nothing happened when I attempted it on my target machine (Windows 10). I played around with quite a bit and finally got the .creds uploading but with 0 data.

Doing some research I came across this page explaining using PowerMemory to edit the registry for storing plaintext credentials. I did this the manual way, rebooted, and viola I have my .creds file on the server with the credentials. However this was done on a test machine and not my target machine.

HERE IS MY REQUEST: Does anyone have or can write a payload to automate this process in a stealth manner much like the Mr Robot payload?

Maybe I am overlooking something as I am so new to this. Also it could be possible that it would have worked without PowerMemory editing the registry as I disabled Windows Defender before trying PM as I saw it has blocked some MK features during my previous attempts.

Any feedback would be greatly appreciated!