Powershell * WMI

WMI Blue Team tools

WMIMON -> tool to monitor WMI activities : https://github.com/luctalpe/WMIMon Realtime event tracelog(ETL) consumer for WMI-activity log. PS C:\Users\victim6\Downloads\WMIMon-master\WMIMon-master\Downloads\WMIMon_Binaries> .\WMIMon.exe On another PS session: PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Invoke-WmiMethod -Class win32_process -name create -ArgumentList calc.exe -ComputerName 192.168.222.130 On previous PS session we can see the connection on it. PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Get-WmiObject -class win32_computersystem WMI_Monitor: tool to log WMI […]

Powershell * WMI

Backdoor with WMI

Win32 localadmins provider: One of the earlier poc evil WMI provider: https://github.com/rzander/localadmins Evil Network connection WMI Provider: https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider Open the command prompt with admin rights in this path (C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug): C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug>InstallUtil.exe EvilNetConnectionWMIProvider.dll On another ps: Here we can see win32_netconnection in output. PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_net* -list PS C:\Users\victim6\Downloads>  Invoke-WmiMethod -class win32_netconnection -name RunPS -ArgumentList […]

Powershell * WMI

Windows Registry with WMI

PS C:\> Get-WmiObject -Namespace root\default -Class stdregprov –list PS C:\> Get-WmiObject -Namespace root\default -Class stdregprov -list | select -ExpandProperty methods PS C:\> $regprov = Get-WmiObject -Namespace root\default -Class stdregprov –list PS C:\> $regprov.methods Retrieving Internet Explorer Typed URLs: PS C:\> Invoke-WmiMethod -namespace root\default -class stdregprov -name Enumkey @(2147483649,”software\microsoft\internet explorer”) | select -ExcludeProperty snames PS C:\> […]

Powershell * WMI

Associations

A common and popular example is of the classes which deal with network adapter: PS C:\Windows\system32> Get-WmiObject -Class *win32_networkadapter* -List We can use associators of to extract information from all the above classes: The __RELPATH property in an instance can be used as a key to list relationship: PS C:\Windows\system32> Get-WmiObject -Class win32_networkadapter | f1 […]