.Net 内存马改造里面的详细的介绍了其利用方式,在学习的过程中发现,其中的参考文章提到了直接使用Start Pocess的方式会被wdf检查:
Since ProxyLogon, ProxyShell, and till now some EDRs,AV,sysmon and Microsoft Windows Defender try to catch and prevent process spawn from w3wp.exe process. This also annoys us but we need some improvements to overcome it!