update

Author: Randark-JMT

docs/Attack-Defense/Jamming-Countermeasure/Cobalt-Strike.md

@@ -2,18 +2,20 @@
 
 对抗 Cobaltstrike 中的手段：
 
-- 伪造流量批量上线（欺骗防御）
-- 利用漏洞（CVE-2022-39197），反制攻击者，获取 aggressor 端的相关信息和相关权限
+- 伪造流量批量上线 (欺骗防御)
+- 利用漏洞 (CVE-2022-39197)，反制攻击者，获取 aggressor 端的相关信息和相关权限
 - 反制 server，爆破密码，获取 server 信息
 - 旁路反制
 
-## 伪造流量批量上线（欺骗防御）
+## 伪造流量批量上线 (欺骗防御)
 
+在这里有两种思路，一个是直接伪造流量欺骗新增 beacon
 
+还有一种就是不断伪造会话，有两种途径：直接沙盒运行原始的样本，还有就是对样本中的连接配置进行解包，然后植入自己的 beacon 或者 SSH Session 中再大量执行，以造成堵塞的效果。
 
 ## 通过 CVE-2022-39197 反制攻击
 
-## 对server端进行攻击反制
+## 对 server 端进行攻击反制
 
 ## 旁路反制
 

docs/CheatSheet/Windows_post-exploitation.md

@@ -0,0 +1,324 @@
+# Windows 后渗透
+
+## 文件挖掘回传
+
+```powershell
+Get-ChildItem -Path E:\ -Filter Web.Config -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
+
+Compress-Archive -Path (Get-ChildItem -Path "E:\" -Filter "Web.Config" -Recurse -ErrorAction SilentlyContinue).FullName -DestinationPath "C:\Windows\Temp\webconfigs.zip"
+
+Get-ChildItem -Path "E:\" -Filter "web.config" -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $_.FullName.Substring(3) } | Set-Content "C:\Windows\Temp\webconfigs.txt" -Encoding utf8
+# 切换为 cmd
+C:\Windows\Temp\7zr.exe a -t7z "C:\Windows\Temp\webconfigs.7z" -scsUTF-8 @"C:\Windows\Temp\webconfigs.txt"
+```
+
+## Internet Information Services (IIS)
+
+### 列出网站目录
+
+```bash
+c:\windows\system32\inetsrv\appcmd list vdir
+```
+
+## Microsoft Defender
+
+### 查询排除项
+
+```powershell
+Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionProcess, ExclusionExtension
+```
+
+添加排除项
+
+```powershell
+Add-MpPreference -ExclusionPath "D:\MySafeFolder"
+Add-MpPreference -ExclusionPath "C:\Windows\Temp"
+Add-MpPreference -ExclusionPath "C:\Windows\System32"
+Add-MpPreference -ExclusionPath "C:\Users\Public\Libraries"
+```
+
+取消排除项
+
+```powershell
+Remove-MpPreference -ExclusionPath "C:\Windows\Temp"
+```
+
+查询情报
+
+```powershell
+Get-MpThreatDetection
+```
+
+删除情报
+
+```bash
+"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDynamicSignature
+
+# Powershell
+Remove-Item "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*" -Recurse -Force
+```
+
+## Vmware Workstation
+
+```bash
+"C:\Program Files (x86)\VMware\VMware Player\vmrun.exe"
+"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"
+```
+
+收集所有在运行的虚拟机
+
+需要注意的是，这里运行命令进行查询的权限需要与运行虚拟机的用户权限一致，过高或者过低都会导致查询不到虚拟机
+
+```bash
+"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" list
+```
+
+收集所有的虚拟机网卡
+
+```bash
+"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" listHostNetworks
+```
+
+获取虚拟机网卡地址
+
+```bash
+"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" -T ws getGuestIPAddress "E:\WIN11E TS - TPE NEW GRM 09\WIN11E TS - TPE.vmx" -wait
+```
+
+制作快照
+
+```bash
+"C:\Program Files (x86)\VMware\VMware Player\vmrun.exe" -T ws snapshot "C:\VM\WinServer_2012R2\Windows Server 2012.vmx" 2025-07-11
+```
+
+## 工具参考
+
+### vmrun
+
+```bash
+vmrun version 1.17.0 build-20800274
+
+Usage: vmrun [AUTHENTICATION-FLAGS] COMMAND [PARAMETERS]
+
+
+
+AUTHENTICATION-FLAGS
+--------------------
+These must appear before the command and any command parameters.
+
+   -T <hostType> (ws|fusion||player)
+   -vp <password for encrypted virtual machine>
+   -gu <userName in guest OS>
+   -gp <password in guest OS>
+
+
+
+POWER COMMANDS           PARAMETERS           DESCRIPTION
+--------------           ----------           -----------
+start                    Path to vmx file     Start a VM or Team
+                         [gui|nogui]
+
+stop                     Path to vmx file     Stop a VM or Team
+                         [hard|soft]
+
+reset                    Path to vmx file     Reset a VM or Team
+                         [hard|soft]
+
+suspend                  Path to vmx file     Suspend a VM or Team
+                         [hard|soft]
+
+pause                    Path to vmx file     Pause a VM
+
+unpause                  Path to vmx file     Unpause a VM
+
+
+
+SNAPSHOT COMMANDS        PARAMETERS           DESCRIPTION
+-----------------        ----------           -----------
+listSnapshots            Path to vmx file     List all snapshots in a VM
+                         [showTree]
+
+snapshot                 Path to vmx file     Create a snapshot of a VM
+                         Snapshot name
+
+deleteSnapshot           Path to vmx file     Remove a snapshot from a VM
+                         Snapshot name
+                         [andDeleteChildren]
+
+revertToSnapshot         Path to vmx file     Set VM state to a snapshot
+                         Snapshot name
+
+
+
+HOST NETWORK COMMANDS    PARAMETERS           DESCRIPTION
+---------------------    ----------           -----------
+listHostNetworks                              List all networks in the host
+
+listPortForwardings      Host network name    List all available port forwardings on a host network
+
+
+setPortForwarding        Host network name    Add or update a port forwarding on a host network
+                         Protocol
+                         Host port
+                         Guest ip
+                         Guest port
+                         [Description]
+
+deletePortForwarding     Host network name    Delete a port forwarding on a host network
+                         Protocol
+                         Host port
+
+
+
+
+GUEST OS COMMANDS        PARAMETERS           DESCRIPTION
+-----------------        ----------           -----------
+runProgramInGuest        Path to vmx file     Run a program in Guest OS
+                         [-noWait]
+                         [-activeWindow]
+                         [-interactive]
+                         Complete-Path-To-Program
+                         [Program arguments]
+
+fileExistsInGuest        Path to vmx file     Check if a file exists in Guest OS
+                         Path to file in guest
+
+directoryExistsInGuest   Path to vmx file     Check if a directory exists in Guest OS
+                         Path to directory in guest
+
+setSharedFolderState     Path to vmx file     Modify a Host-Guest shared folder
+                         Share name
+                         Host path
+                         writable | readonly
+
+addSharedFolder          Path to vmx file     Add a Host-Guest shared folder
+                         Share name
+                         New host path
+
+removeSharedFolder       Path to vmx file     Remove a Host-Guest shared folder
+                         Share name
+
+enableSharedFolders      Path to vmx file     Enable shared folders in Guest
+                         [runtime]
+
+disableSharedFolders     Path to vmx file     Disable shared folders in Guest
+                         [runtime]
+
+listProcessesInGuest     Path to vmx file     List running processes in Guest OS
+
+killProcessInGuest       Path to vmx file     Kill a process in Guest OS
+                         process id
+
+runScriptInGuest         Path to vmx file     Run a script in Guest OS
+                         [-noWait]
+                         [-activeWindow]
+                         [-interactive]
+                         Interpreter path
+                         Script text
+
+deleteFileInGuest        Path to vmx file     Delete a file in Guest OS
+                         Path in guest
+
+createDirectoryInGuest   Path to vmx file     Create a directory in Guest OS
+                         Directory path in guest
+
+deleteDirectoryInGuest   Path to vmx file     Delete a directory in Guest OS
+                         Directory path in guest
+
+CreateTempfileInGuest    Path to vmx file     Create a temporary file in Guest OS
+
+listDirectoryInGuest     Path to vmx file     List a directory in Guest OS
+                         Directory path in guest
+
+CopyFileFromHostToGuest  Path to vmx file     Copy a file from host OS to guest OS
+                         Path on host
+                         Path in guest
+
+CopyFileFromGuestToHost  Path to vmx file     Copy a file from guest OS to host OS
+                         Path in guest
+                         Path on host
+
+renameFileInGuest        Path to vmx file     Rename a file in Guest OS
+                         Original name
+                         New name
+
+typeKeystrokesInGuest    Path to vmx file     Type Keystrokes in Guest OS
+                         keystroke string
+
+connectNamedDevice       Path to vmx file     Connect the named device in the Guest OS
+                         device name
+
+disconnectNamedDevice    Path to vmx file     Disconnect the named device in the Guest OS
+                         device name
+
+captureScreen            Path to vmx file     Capture the screen of the VM to a local file
+                         Path on host
+
+writeVariable            Path to vmx file     Write a variable in the VM state
+                         [runtimeConfig|guestEnv|guestVar]
+                         variable name
+                         variable value
+
+readVariable             Path to vmx file     Read a variable in the VM state
+                         [runtimeConfig|guestEnv|guestVar]
+                         variable name
+
+getGuestIPAddress        Path to vmx file     Gets the IP address of the guest
+                         [-wait]
+
+
+
+GENERAL COMMANDS         PARAMETERS           DESCRIPTION
+----------------         ----------           -----------
+list                                          List all running VMs
+
+upgradevm                Path to vmx file     Upgrade VM file format, virtual hw
+
+installTools             Path to vmx file     Install Tools in Guest
+
+checkToolsState          Path to vmx file     Check the current Tools state
+
+deleteVM                 Path to vmx file     Delete a VM
+
+clone                    Path to vmx file     Create a copy of the VM
+                         Path to destination vmx file
+                         full|linked
+                         [-snapshot=Snapshot Name]
+                         [-cloneName=Name]
+
+
+
+Template VM COMMANDS     PARAMETERS           DESCRIPTION
+---------------------    ----------           -----------
+downloadPhotonVM         Path for new VM      Download Photon VM
+
+
+
+
+
+Examples:
+
+
+Starting a virtual machine with Workstation on a Windows host
+   vmrun -T ws start "c:\my VMs\myVM.vmx"
+
+
+Running a program in a virtual machine with Workstation on a Windows host with Windows guest
+   vmrun -T ws -gu guestUser -gp guestPassword runProgramInGuest "c:\my VMs\myVM.vmx" "c:\Program Files\myProgram.exe"
+
+
+Creating a snapshot of a virtual machine with Workstation on a Windows host
+   vmrun -T ws snapshot "c:\my VMs\myVM.vmx" mySnapshot
+
+
+Reverting to a snapshot with Workstation on a Windows host
+   vmrun -T ws revertToSnapshot "c:\my VMs\myVM.vmx" mySnapshot
+
+
+Deleting a snapshot with Workstation on a Windows host
+   vmrun -T ws deleteSnapshot "c:\my VMs\myVM.vmx" mySnapshot
+
+
+Enabling Shared Folders with Workstation on a Windows host
+   vmrun -T ws enableSharedFolders "c:\my VMs\myVM.vmx"
+```

docusaurus.config.js

@@ -105,6 +105,12 @@ const config = {
                     position: 'left',
                     label: '证书',
                 },
+                {
+                    type: 'docSidebar',
+                    sidebarId: 'CheatSheet_Sidebar',
+                    position: 'left',
+                    label: 'CheatSheet',
+                },
                 {
                     type: 'docSidebar',
                     sidebarId: 'CTF_Sidebar',

sidebars.js

@@ -57,6 +57,12 @@ const sidebars = {
             dirName: 'Certificate'
         }
     ],
+    CheatSheet_Sidebar: [
+        {
+            type: 'autogenerated',
+            dirName: 'CheatSheet'
+        }
+    ],
 };
 
 module.exports = sidebars;