RedSiege/WMImplant RedSiege/WMImplant

  • Stars
    star
    798
  • Rank 57,078 (Top 2 %)
  • Language
    PowerShell
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RedSiege/WMImplant
github

RedSiege

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.

WMImplant

WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant will likely require local administrator permissions on the targeted machine.

Developed by @christruncer

WMImplant Functions:

Meta Functions

change_user                         -   Change the context of the user you will execute WMI commands as
exit                                -   Exits WMImplant
gen_cli                             -   Generate the command line command to use WMImplant non-interactively
set_default                         -   Sets the targeted system's WMI property back to its default value
help                                -   View the list of commands and descriptions

File Operations

cat                                 -   Reads the contents of a file
copy                                -   Copies a file from one location to another
download                            -   Download a file from the targeted machine
ls                                  -   File/Directory listing of a specific directory
search                              -   Search for a file on a user-specified drive
upload                              -   Upload a file to the targeted machine

Lateral Movement Facilitation

command_exec                        -   Run a command line command and receive the output
disable_wdigest                     -   Removes registry value UseLogonCredential
disable_winrm                       -   Disables WinRM on the targeted system
enable_wdigest                      -   Adds registry value UseLogonCredential
enable_winrm                        -   Enables WinRM on the targeted system
registry_mod                        -   Modify the registry on the targeted machine
remote_posh                         -   Run a PowerShell script on a remote machine and receive the output
sched_job                           -   Manipulate scheduled jobs
service_mod                         -   Create, delete, or modify system services

Process Operations

process_kill                        -   Kill a process via name or process id on the targeted machine
process_start                       -   Start a process on the targeted machine
ps                                  -   Process listing

System Operations

active_users                        -   List domain users with active processes on the targeted system
basic_info                          -   Used to enumerate basic metadata about the targeted system
drive_list                          -   List local and network drives
ifconfig                            -   Receive IP info from NICs with active network connections
installed_programs                  -   Receive a list of the installed programs on the targeted machine
logoff                              -   Log users off the targeted machine
reboot                              -   Reboot the targeted machine
power_off                           -   Power off the targeted machine
vacant_system                       -   Determine if a user is away from the system

Log Operations

logon_events                        -   Identify users that have logged onto a system

Usage

The easiest way to get up and running with WMImplant is to import the script and run Invoke-WMImplant. This will present you with the main menu and you can instantly start choosing a command to run. Within the main menu, you can also choose to have WMImplant output the command line command you would need to use in order to run WMImplant in a non-interactive manner.

Thanks to: @evan_Pena2003 - For your help with code reviews and adding functionality into the tool @danielbohannon - For your help with code obfuscation

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,899
star
2

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
Python
987
star
3

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Python
623
star
4

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
610
star
5

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
539
star
6

EXCELntDonut

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Python
498
star
7

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
381
star
8

EDD

Enumerate Domain Data
C#
312
star
9

PersistAssist

Fully modular persistence framework
C#
249
star
10

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems
C#
196
star
11

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
189
star
12

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
173
star
13

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
171
star
14

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
140
star
15

jargon

Python
114
star
16

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
83
star
17

DigDug

Python
66
star
18

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
66
star
19

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
20

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
59
star
21

MiddleOut

A small .NET compression utility
C#
54
star
22

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
44
star
24

rstools

Python
39
star
25

Chromatophore

Utilities for obfuscating shellcode
C
38
star
26

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
36
star
27

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
29
star
28

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
22
star
29

SharpCollectionTemplate

PowerShell
13
star
30

Delta-Encoder

Python
12
star
31

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
32

RansomwareTalks

code for ransomware talks
C#
8
star
33

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star