Awesome
The problem
When doing low impact investigations and other similar activities you may want to minimize what is written to disk / obvious.
This tool allows us to execute commands via WMI and get information not otherwise available via this channel.
Purpose
A small utility which only uses WMI to
- execute command shell commands
- capture stdout from these commands and write to the registry
- read and then delete from the registry
- print to local stdout
Design
The tool us comprised of:
- a very small subset of the NCC Group internal core library (WMICore)
- command execution (WMIcmd)
Usage
C:\Data\NCC\!Code\Git.Public\WMIcmd\WMIcmd\bin\Debug>WMIcmd.exe --help
NCC Group WMIcmd 1.0.0.0
Released under AGPL
-h, --host Host (IP address or hostname - default: localhost)
-u, --username Username to authenticate with
-p, --password Password to authenticate with
-d, --domain Domain to authenticate with
-v, --Verbose (Default: False) Prints all messages to standard
output.
-c, --Command (Default: ) Command to run e.g. "nestat-ano"
-s, --CommandSleep (Default: 10000) Command sleep in milliseconds -
increase if getting truncated output
--help Display this help screen.
Example - a non domain joined machine
Note: use administrative credentials
WMIcmd.exe -h 192.168.1.165 -d hostname -u localadmin -p theirpassword -c "netstat -an"
Example - domain joined machine
Note: use administrative credentials
WMIcmd.exe -h 192.168.1.165 -d domain -u domainadmin -p theirpassword -c "netstat -an"
Example expected output
Note: use administrative credentials
C:\Data\NCC\!Code\Git.Public\WMIcmd\WMIcmd\bin\Debug>WMIcmd.exe -d win10host -h win10host -u superuser -p password -c "netstat -an"
[!] Connecting with superuser
[i] Connecting to win10host
[i] Connected
[i] Command: netstat -an
[i] Running command...
[i] Getting stdout from registry from SOFTWARE\
[i] Full command output received
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING
TCP 0.0.0.0:18800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49713 0.0.0.0:0 LISTENING
.. snip ..