wmiexec-RegOut: get output(data, response) from registry
wmiexec-RegOut
Modify version of impacket wmiexec.py, wmipersist.py. Got output(data, response) from the registry, don’t need an SMB connection, but I’m in the bad code 🙁
Overview
In the original wmiexec.py, it gets a response from the smb connection (port 445,139). Unfortunately, some antivirus software monitoring these ports is high risk.
In this case, I drop the smb connection function and use other methods to execute a command.
- wmiexec-reg-sch-UnderNT6-wip.py: Executed command by using win32-scheduledjob class. According to xiangshan, win32-scheduledjob class only works under windows NT6 (windows-server 2003).
BTW, win32_scheduledjob has been disabled by default after Windows NT6. Here is the way how to enable it.
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration Name: EnableAt Type: REG_DWORD Value: 1
- wmipersist-wip.py (Recommend, !!!only works on Linux platform!!!): A Python version of WMIHACKER, which I picked the vbs template from it. An attacker can use it to do lateral movement safety under antivirus software running.
- wmiexec-regOut.py: Just a simple Win32_Process.create method example.
How does it work?
-
wmiexec-wip.py workflow:
Step 1:
- WMIC authenticated remotely
Step 2:
- Use win32process class and call create a method to execute a command. Then, write down the result into C:\windows\temp directory named [uuid].txt
Step 3:
- Encode the file content to base64 strings (need to wait a few seconds)
Step 4:
- Add the converted base64 string into the registry, and key name call [uuid]
Step 5:
- Get the base64 strings remotely and decode them locally.
-
wmipersist-wip.py workflow:
Step 1:
- Add custom vbs script into ActiveScriptEventConsumer class.
Step 2:
- Creating an Event Filter.
Step 3:
- Trigger FilterToConsumerBinding class to PWNED!