Jump to content

How to correctly exit Powershell terminal via HID script?


Recommended Posts

I'm having trouble writing a powershell script that will 'exit' the terminal after running the code. This problem occurs when using a Quack script on the Bash Bunny.

Here's the end part of the Ducky script into  that I wrote:

Quote

STRING del ip.txt

ENTER

DELAY 100

STRING exit

ENTER

I pretty sure that's correct, and it should exit after deleting a file called ip.txt However, no such luck.

What I have tried to solve the problem:

  • STRING EXIT
  • STRING Exit
  • STRING exit;
  • STRING del ip.txt; exit;

But, no of these make a difference. I even checked a Ducky script written by DarrenHak5 who has the same way of exiting the powershell terminal. So, I can't understand why it's not working for me. If I manually type exit it will do so, if the HID type it, it will not exit.

Guys, do you have any suggestions?

Thanks

Link to post
Share on other sites

If in CMD then POWERSHELL?

STRING exit

ENTER

STRING exit

ENTER

??

Link to post
Share on other sites

Cool beans, glad you got it working.

TIP: if powershell is disabled on a system (like I have it on my system with GPO) you can change the "+STRING POWERSHELL" to "+STRING cmd /k powershell", for which then there would be two exits needed. I only mention using cmd in the event powershell is disabled, while cmd is still open. You can set a group policy to disable both cmd and powershell too if you want to defend against this kind of attack using gpedit.msc, but only on Windows Pro and above versions. Home users would have to use a registry edit to do the same thing since gpedit is not available to them on home editions. These are smaller mitigations, as there are VBS and other scripting languages you could use as well, but cmd and powershell user environments can be disabled which is 99% of the HID based attacks you will see.

Link to post
Share on other sites
19 hours ago, digip said:

Cool beans, glad you got it working.

TIP: if powershell is disabled on a system (like I have it on my system with GPO) you can change the "+STRING POWERSHELL" to "+STRING cmd /k powershell", for which then there would be two exits needed. I only mention using cmd in the event powershell is disabled, while cmd is still open. You can set a group policy to disable both cmd and powershell too if you want to defend against this kind of attack using gpedit.msc, but only on Windows Pro and above versions. Home users would have to use a registry edit to do the same thing since gpedit is not available to them on home editions. These are smaller mitigations, as there are VBS and other scripting languages you could use as well, but cmd and powershell user environments can be disabled which is 99% of the HID based attacks you will see.

I've made a note of your tip. Appreciate it!

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...