RedSiege/CIMplant RedSiege/CIMplant

  • Stars
    star
    193
  • Rank 194,512 (Top 4 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RedSiege/CIMplant
github

RedSiege

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C# port of WMImplant which uses either CIM or WMI to query remote systems

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session.

Note: Some commands will use PowerShell in combination with WMI, denoted with ** in the --show-commands command.

Introduction

CIMplant is a C# rewrite and expansion on @christruncer's WMImplant. It allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM ; well more accurately Windows Management Infrastructure, MI. CIMplant requires local administrator permissions on the target system.

Setup:

It's probably easiest to use the built version under Releases, just note that it is compiled in Debug mode. If you want to build the solution yourself, follow the steps below.

  1. Load CIMplant.sln into Visual Studio
  2. Go to Build at the top and then Build Solution if no modifications are wanted

Usage

CIMplant.exe --help
CIMplant.exe --show-commands
CIMplant.exe --show-examples
CIMplant.exe -s [remote IP address] -c cat -f c:\users\user\desktop\file.txt
CIMplant.exe -s [remote IP address] -u [username] -d [domain] -p [password] -c cat -f c:\users\test\desktop\file.txt
CIMplant.exe -s [remote IP address] -u [username] -d [domain] -p [password] -c command_exec --execute "dir c:\\"

Functions

File Operations:

cat                          -  Reads the contents of a file
copy                         -  Copies a file from one location to another
download**                   -  Download a file from the targeted machine
ls                           -  File/Directory listing of a specific directory
search                       -  Search for a file on a user
upload**                     -  Upload a file to the targeted machine

Lateral Movement Facilitation

command_exec**               -  Run a command line command and receive the output. Run with nops flag to disable PowerShell
disable_wdigest              -  Sets the registry value for UseLogonCredential to zero
enable_wdigest               -  Adds registry value UseLogonCredential
disable_winrm**              -  Disables WinRM on the targeted system
enable_winrm**               -  Enables WinRM on the targeted system
reg_mod                      -  Modify the registry on the targeted machine
reg_create                   -  Create the registry value on the targeted machine
reg_delete                   -  Delete the registry on the targeted machine
remote_posh**                -  Run a PowerShell script on a remote machine and receive the output
sched_job                    -  Not implimented due to the Win32_ScheduledJobs accessing an outdated API
service_mod                  -  Create, delete, or modify system services

Process Operations

process_kill                 -  Kill a process via name or process id on the targeted machine
process_start                -  Start a process on the targeted machine
ps                           -  Process listing

System Operations

active_users                 -  List domain users with active processes on the targeted system
basic_info                   -  Used to enumerate basic metadata about the targeted system
drive_list                   -  List local and network drives
ifconfig                     -  Receive IP info from NICs with active network connections
installed_programs           -  Receive a list of the installed programs on the targeted machine
logoff                       -  Log users off the targeted machine
reboot (or restart)          -  Reboot the targeted machine
power_off (or shutdown)      -  Power off the targeted machine
vacant_system                -  Determine if a user is away from the system
edr_query                    -  Query the local or remote system for EDR vendors

Log Operations

logon_events                 -  Identify users that have logged onto a system

* All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM)
** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)

Some Example Usage Commands

image

Cobalt Strike Execute-Assembly

I wanted to code CIMplant in a way that would allow usage through execute-assembly so everything is packed into one executable and loaded reflectively. You should be able to run all commands through beacon without issue. Enjoy!

image

Important Files

  1. Program.cs

This is the brains of the operation, the driver for the program.

  1. Connector.cs

This is where the initial CIM/WMI connections are made and passed to the rest of the application

  1. ExecuteWMI.cs

All function code for the WMI commands

  1. ExecuteCIM.cs

All function code for the CIM (MI) commands

Detection

Of course, the first thing we'll want to be aware of is the initial WMI or CIM connection. In general, WMI uses DCOM as a communication protocol whereas CIM uses WSMan (or, WinRM). This can be modified for CIM, and is in CIMplant, but let's just go over the default values for now. For DCOM, the first thing we can do is look for initial TCP connections over port 135. The connecting and receiving systems will then decide on a new, very high port to use so that will vary drastically. For WSMan, the initial TCP connection is over port 5985.

Next, you'll want to look at the Microsoft-Windows-WMI-Activity/Trace event log in the Event Viewer. Search for Event ID 11 and filter on the IsLocal property if possible. You can also look for Event ID 1295 within the Microsoft-Windows-WinRM/Analytic log.

Finally, you'll want to look for any modifications to the DebugFilePath property with the Win32_OSRecoveryConfiguration class. More detailed information about detection can be found at Part 1 of our blog series here: CIMplant Part 1: Detection of a C# Implementation of WMImplant

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,664
star
2

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
Python
903
star
3

WMImplant

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
PowerShell
787
star
4

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Python
616
star
5

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
581
star
6

EXCELntDonut

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Python
488
star
7

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
465
star
8

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
380
star
9

EDD

Enumerate Domain Data
C#
303
star
10

PersistAssist

Fully modular persistence framework
C#
246
star
11

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
169
star
12

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
163
star
13

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
139
star
14

jargon

Python
105
star
15

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
80
star
16

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
17

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
62
star
18

DigDug

Python
57
star
19

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
57
star
20

MiddleOut

A small .NET compression utility
C#
55
star
21

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
22

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
47
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
42
star
24

rstools

Python
36
star
25

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
33
star
26

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
26
star
27

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
20
star
28

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
29

SharpCollectionTemplate

PowerShell
9
star
30

RansomwareTalks

code for ransomware talks
C#
7
star
31

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star