The attackers made use of legitimate tools like Plink to configure port-forwarding rules, enabling remote access via the Remote Desktop Protocol (RDP), and modified Windows firewall rules to facilitate their activities.