Run Key RunOnce Key Image File Execution Options Natural Language Development Platform 6 DLL Override Path AEDebug Keys Windows Error Reporting Debugger Windows Error Reporting ReflectDebugger Command Prompt AutoRun Explorer Load Winlogon Userinit Winlogon Shell Windows Terminal startOnUserLogin AppCertDlls DLL Injection App Paths Hijacking ServiceDll Hijacking Group Policy Extensions DLLs Winlogon MPNotify CHM Helper DLL Hijacking of hhctrl.ocx Startup Folder User Init Mpr Logon Script AutodialDLL Winsock Injection LSA Extensions DLL ServerLevelPluginDll DNS Server DLL Hijacking LSA Authentication Packages DLL LSA Security Packages DLL Winlogon Notify Packages DLL Explorer Tools Hijacking .NET DbgManagedDebugger cmd Hijacking WMI Subscriptions Windows Services Terminal Services InitialProgram Accessibility Tools Backdoor
git clone https://github.com/last-byte/PersistenceSniper.git
(向右滑动、查看更多)
PS C:\> git clone https://github.com/last-byte/PersistenceSniper
PS C:\> Import-Module .\PersistenceSniper\PersistenceSniper\PersistenceSniper.psd1
PS C:\> Find-AllPersistence
(向右滑动、查看更多)
PS C:\> Install-Module PersistenceSniper
PS C:\> Import-Module PersistenceSniper
PS C:\> Find-AllPersistence
(向右滑动、查看更多)
Get-Help -Name Find-AllPersistence -Full
PS C:\> Find-AllPersistence -PersistenceMethod RunAndRunOnce
$PersistenceObject = [PSCustomObject]@{
'ComputerName' = $ComputerName
'Technique' = $Technique
'Classification' = $Classification
'Path' = $Path
'Value' = $Value
'Access Gained' = $AccessGained
'Note' = $Note
'Reference' = $Reference
'Signature' = Find-CertificateInfo (Get-ExecutableFromCommandLine $Value)
'IsBuiltinBinary' = Get-IfBuiltinBinary (Get-ExecutableFromCommandLine $Value)
'IsLolbin' = Get-IfLolBin (Get-ExecutableFromCommandLine $Value)
}
(向右滑动、查看更多)
PS C:\> Find-AllPersistence | Where-Object "Access Gained" -EQ "System"
(向右滑动、查看更多)
PS C:\> Find-AllPersistence -DiffCSV false_positives.csv
https://www.powershellgallery.com/packages/PersistenceSniper/1.0 https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns https://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/ https://lolbas-project.github.io/ https://twitter.com/dottor_morte
精彩推荐