- Choose username and password and the RDP port.
- Run RDPerci.bat on victim
- Connect to victim with the username&password created and the specified port
RDPerci is ideal for SOC operators' first analysis. It's a simple script able to enable RDP and add new admin user with the access over it. It's inspired from famous malware that works with RDP. To allow multple RDP sessions it uses termsrv_rdp_patch.ps1 from winposh repository.
RDPerci.bat will ask for admin's privileges, when it obtain that it will run. It create new user with a new password (Percin0 and Password123! by default), and try to add to Administrator's group using the default name in different languages. Then enable RDP on the target and change the default port (port 8888 by default). It creates an ACL on WindowsFirewall for RDP connection over the selected port.
https://github.com/maxbakhub/winposh
https://attack.mitre.org/techniques/T1021/001/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md
Only for analysis do not use without authorization. Only for educational purpose.
If you want to help me with any suggestions please contact me to percin0@protonmail.com :) Be patient, I'll update the ngrok component!
RDPerci on victim without RDP enable.
Connection with the new user's credentials and the new port from remote host.
You can do all you want, you are admin!
