{
"id": "9ac4767a-0052-4770-9593-4f7de131b829",
"phase": "05. Privilege Escalation",
"ttp": "T1548.002",
"external": false,
"description": "The Fodhelper binary runs as high integrity, and it is vulnerable to exploitation due to the way it interacts with the Windows Registry.\nIt interacts with the current user’s registry and reads \"HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\".\n",
"category": "Exploits",
"stealthy": false,
"tools": [
"Metasploit"
],
"changes": [],
"name": "Fodhelper",
"content": "",
"steps": [
{
"id": "9c88259b-cbaa-4ab2-870b-27bec659b31f",
"name": "Setup MSF",
"description": "",
"requirements": {},
"results": [
"C2:LISTENER:HTTPS"
]
},
{
"id": "814fae75-0492-49d5-8188-aa59f456e9a2",
"name": "Exploit",
"description": "",
"requirements": {},
"results": [
"EXPLOITS:FODHELPER"
]
}
],
"references": [
"https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/"
]
}
Patrick-DE
commented
11 months ago