Table Of Contents
- Windows [RE]Configuration
- Remote Desktop Protocol (RDP) Configuration
- Misc [Re]Configuration
- Disable Windows Defender
- Windows Event Viewer Manipulation
WINDOWS [RE]CONFIGURATION
- Note: This section covers re-configuration of Windows which can be used to further a potential red team assessment. A few examples include enabling remote desktop protocol, adding firewall rules, or creating accounts.
REMOTE DESKTOP PROTOCOL (RDP) CONFIGURATION
Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
sc start TermService
:: Optional: Can execute technique remotely by interacting with remote registry
reg add “\\<IP_ADDRESS>\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
Change RDP Listening Port Number (Need to restart RDP Service)
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f
MISC [RE]CONFIGURATION
Lock workstation
rundll32 user32.dll,LockWorkStation
Disable Windows firewall
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off
Native Windows port forward (must be admin)
netsh interface portproxy add v4tov4 listenport=3000 listenaddress=1.1.1.1 connectport=4000 connectaddress=2.2.2.2
:: Remove
netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=1.1.1.1
Re-enable command prompt
reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
List software names and uninstall software
wmic product get name /value
wmic product where name="XXX" call uninstall /nointeractive
Turn on IP forwarding
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IPEnableRouter /t REG_DWORD /d 1 /f
Share a folder with full permissions to everyone
net share sharename=<SHARE_FOLDER> /GRANT:everyone,FULL
icacls <FILE_PATH> /grant Everyone:(F) /T
Add a local user and place in the local administrators group
net user <USERNAME> <PASSWORD> /ADD
net localgroup "Administrators" <USERNAME> /ADD
Uninstall a patch
wusa /uninstall /kb:4516059 /quiet
Forcibly delete all files from specified directory and all subdirectories
del <FILE_PATH>\*.* /S /Q /F
DISABLE WINDOWS DEFENDER
Disable service
sc config WinDefend start= disabled
Stop service
sc stop WinDefend
PowerShell command to disable real time monitoring
Set-MpPreference -DisableRealtimeMonitoring $true
PowerShell command to remove virus definitions
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
WINDOWS EVENT VIEWER MANIPULATION
Backup the Application log and then clear all events
wevtutil cl Application /bu:<FILE_PATH>.evtx
Display the 20 most recent events from the application log
wevtutil qe Application /c:20 /rd:true /f:text
Display the last 100 logon events
wevtutil qe security /q:"*[System[(EventID=4624)]]" /c:100 /rd:true
Display all logon events during the last 24 hours (PowerShell)
date = (Get-Date).AddHours(-24); Get-WinEvent –FilterHashTable @{ logname = "Security"; STARTTIME = $date; ID = 4624}
Clear Security & Application event log (PowerShell)
Get-EventLog –list
Clear-EventLog -LogName Application,Security
Prefetch
- More info at: https://forensicswiki.xyz/wiki/index.php?title=Windows_Prefetch_File_Format
- Prefetch Location:
%SYSTEMROOT%\Prefetch - Prefetch filename structure:
\<APPLICATION_NAME\>-\<8 CHAR HASH OF LOCATION\> - Additional meta data:
- executable name (up to 29 chars)
- number of times the application has been executed
- volume related information
- files and directories used during application start-up