Skip to content
Chris Truncer edited this page Dec 13, 2016 · 15 revisions

Welcome to the WMImplant wiki!

Running WMImplant

The first thing you will need to do is import the WMImpant.ps1 on the console that you are using (PowerShell, Beacon, Empire, Meterpreter, etc.). Importing the script is an exercise I feel comfortable leaving to the user.

After having imported WMImplant, you have two ways that you can use the tool, interactively or non-interactively. Using WMImplant in a non-interactive manner will allow you to script actions with WMImplant, and/or use it in a RAT of your choice.

How it works

WMImplant is a tool that's designed to completely use WMI. WMI is not only the mechanism for triggering actions on the targeted machine, but it is also the C2 channel itself. Where required, WMImplant stores data in WMI properties, but in one situation it stores data in the system registry. When interacting with WMI properties, WMImplant captures the original property value, modifies the value, and then restores the original value once it is complete. When interacting with the registry, WMImplant creates a new registry key, stores the data in the registry value, retrieves the data, and then removes the key. For specifics on where data storage is required, and how data is stored for each command, please review the respective commands in the Commands section.

Commands

This section will go over the different commands that WMImplant supports and how WMImplant performs each command.

Meta Commands

change_user

The change_user command enables you to change the user context that you are currently running as. By default, WMImplant will run in the context of the user account that starts the tool. However, if you need to change the user account context you are running as, you can easily do it with the change_user command. WMImplant will prompt you to provide the new user account (DOMAIN\account) and password that you wish to authenticate with. From that point on, WMImplant will use the new account credentials (unless you use the change_user command again, or exit WMImplant).

exit

This command exits WMImplant.

gen_cli

This is an incredibly useful command for when you want to use WMImplant in a non-interactive manner, but don't know the command line flags to use. If that is the case, use the gen_cli command. Once you run this command, the normal help menu will pop up. Select the command you want to use in a non-interactive manner. WMImplant will then prompt you to answer questions that it will require when running this command from the command line. After you've answered every question, WMImplant will produce the command line command you should run. At this point, just copy and paste the command, and run it!

help

This command shows the WMImplant menu.

File Operations

cat

This command reads the contents of a user-specified file on the targeted machine. This works by invoking PowerShell on the remote machine, reading in the specified file, encoding the file contents, storing the encoded contents in a WMI property, reading the WMI property from the attacking machine, decoding and writing the contents to disk, and replacing the WMI property with its original value. The WMI property being used has stored more than 200 megabytes of data previously, however I wouldn't recommend it. For large files, it is likely better to completely download the file than trying to read the contents with the cat command.

download

This command allows you to download a file from the targeted system onto your attacking machine. This works by starting PowerShell on the targeted system, reading the specified file, encoding its contents and storing them in the targeted system's registry. The attacker's system then makes a second WMI query to retrieve the contents of the registry value storing the file. The attacker's system then decodes the contents, writes it to disk on the attacking machine, and issues a final WMI command deleting the registry value that was holding the file.

ls

This command lets you get a directory and file listing of any directory that you specify on the targeted machine.

ninjacopy

This command spawns PowerShell on the targeted machine, uses the IEX command to download the Invoke-Ninjacopy script in memory, and then copies the user specified file to the user specified location.

search

The search command enables the user to search for a specific file, or multiple files, on the targeted machine. It also allows you to search by file extension if that is the preferred method. If the file is found, or any file with the extension that the user is searching for, it's location will be returned to the console.

upload

This command allows the user to upload a file from their machine to the targeted machine. The attacker's machine spawns PowerShell which reads the contents of the file the attacker would like to upload, encodes the contents, and stores the encoded contents in the attacker's system's registry. Then, WMImplant spawns PowerShell on the targeted machine, which makes a WMI query against the attacker's system to obtain the registry key's value containing the encoded file. The targeted machine then decodes the contents and writes the file to disk.

Lateral Movement Facilitation

command_exec

This command allows the user to run a command on the targeted machine and receive its output. The command is any command-line command, such as ping, nslookup, nltest, etc. The attacking machine spawns PowerShell on the targeted system which runs the user-specified command. The command's output is encoded and stored in a WMI property. The attacking machine queries WMI for the property storing the output, decodes the output, displays the output to the console, and replaces the WMI property with the original value.

disable_wdigest

This command modifies the targeted system's registry and sets the UseLogonCredential key to have a value of 0 via WMI.

disable_winrm

This command starts PowerShell on the targeted system and attempts to force disable WinRM.

enable_wdigest

This command modified the targeted system's registry and sets the UseLogonCredential key to have a value of 1 via WMI.

enable_winrm

This commands starts PowerShell on the targeted system and attempts to force enable WinRM.

registry_mod

This command enables the user to modify the registry on the targeted system over WMI. You can create or delete registry keys, however if creating a key it can only be of type STRING currently. If there is a good use-case for updating this, I will be happy to modify the code (or accept a pull request :)).

remote_posh

This command enables the user to run any PowerShell script on the targeted host and receive its output. The attacking machine starts PowerShell on the targeted system which IEX downloads a user specified PowerShell Script, a user-specified function is ran and its results are encoded and stored in a WMI property. The attacking machine then queries the specific WMI property to retrieve the encoded results, decodes the results, displays the results to the console, and replaces the WMI property with the original value.

sched_job

This command enables the user to create, list, or delete scheduled tasks on the targeted system over WMI.

service_mod

This command enables the user to start, stop, create, and delete services on the targeted system over WMI.

wdigest

This command is an alias for "Invoke-Mimikatz". The attacking machine will spawn PowerShell on the targeted system, IEX download Invoke-Mimikatz, run "Invoke-Mimikatz", encode the results and store them in a WMI property. The attacking system then makes a second query retrieving the encoded results, decoding them, displaying the results to the console, and replaces the WMI property with the original value.

Process Operations

process_kill

This command allows the user to kill a process on the remote system by name or process ID over WMI.

process_start

This command allows the user to start a process on the remote system over WMI.

ps

This command displays all running processes from the targeted machine on the attacking computer over WMI.

System Operations

active_users

This command gathers all the running processes on the targeted systems and lists the accounts that own the running processes over WMI.

basic_info

This command gathers very basic information about the targeted system over WMI.

drive_list

This command attempts to list all physical and network drives attached to the targeted system over WMI.

ifconfig

This command enumerated all NICs on the targeted system that have an active IP address. Each NIC with an active IP address is displayed to the console.

installed_programs

This command enumerates the applications which have been installed on the targeted system. The results are encoded and stored in a WMI property. The attacking system makes a WMI query to receive the encoded results, decodes the results, displays the contents to the console, and sets the WMI property back to it's original value.

logoff

Uses a WMI command to log users off the targeted system

reboot

Uses a WMI command to reboot the targeted system

power_off

Uses a WMI command to power off the targeted system

vacant_system

This command attempts to determine if a user is actively using the targeted system. First, it tries to determine if a screensaver is active on the system, and displays the results. It then tries to pull user information from the system with a second WMI query and displays any potential active user information.

Log Operations

logon_events

This command parses the event log on the targeted system to find user accounts that have logged onto the targeted system.

Clone this wiki locally