Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated Schedualed Task batch Script for WMI Monitor #3

Open
rugabunda opened this issue Jul 24, 2020 · 0 comments
Open

Automated Schedualed Task batch Script for WMI Monitor #3

rugabunda opened this issue Jul 24, 2020 · 0 comments

Comments

@rugabunda
Copy link

rugabunda commented Jul 24, 2020
edited
Loading

I made this little batch script that automatically pauses WMI on WSH events, has a good number of other features as well, you can install this as a scheduled task directly in the batch file itself, and see the other features it offers.

WMI Payload

@ECHO off
rundll32 user32.dll,MessageBeep
color 09
ECHO Failed to load, run: 'sc continue winmgmt', to unpause, or 'net start Winmgmt /y' to start
::set-date-file-name-properties
FOR /f %%a IN ('WMIC OS GET LocalDateTime ^| FIND "."') DO SET DTS=%%a
SET DateTime=%DTS:~0,4%-%DTS:~4,2%-%DTS:~6,2%_%DTS:~8,2%.%DTS:~10,2%.%DTS:~12,2%

::save WMI payload data to-date-folder-txt
mkdir %userprofile%\Documents\#WMI\
wmic /namespace:\\root\subscription PATH __EventConsumer get/format:list > %userprofile%\Documents\#WMI\%DateTime:/=%_EventConsumer_payload.txt
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter get/FORMAT:list  > %userprofile%\Documents\#WMI\%DateTime:/=%_EventFilter_payload.txt
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding get/FORMAT:list  > %userprofile%\Documents\#WMI\%DateTime:/=%_FilterToConsumerBinding_payload.txt
wmic /NAMESPACE:"\\root\subscription" PATH __TimerInstruction get/FORMAT:list  > %userprofile%\Documents\#WMI\%DateTime:/=%_TimerInstruction_payload.txt
cls
color 09
ECHO===================-----------
ECHO WARNING: WMI Execution/Payload detected
ECHO===================-----------
ECHO.
ECHO Verifying WMI repository consistency, take note of following line!
ECHO.
winmgmt /verifyrepository
:Begin
ECHO.
ECHO PAUSING WMI SERVICE # Check Event Viewer / Autoruns
sc pause winmgmt
ECHO.
ECHO WMI SERVICE is paused, you are protected against WMI attacks for now; Test with T, Te, TT
ECHO.
ECHO (V)iew    (View WMI payload)
ECHO (B)ackup  (Backup WMI repository)
ECHO (S)alvage (WMI Repository Inconsistency detected? Run winmgmt /salvagerepository)
ECHO (R)eset   (Salvage failed? Backup and reset Repository [warning, know what you are doing])
ECHO (D)isable (Disable WMI, net stop Winmgmt /y), (E)nable, net start Winmgmt /y)
ECHO (C)reate  (Create Scheduled Task, trigger WMI.bat on Event WSH)
ECHO (Q)uit    (Unpause WMI, clean exit)

ECHO.

set /p choice=Type:
::rem if not '%choice%'=='' set choice=%choice:~0;1% ( don`t use this command, because it takes only first digit in the case you type more digits. After that for example choice 23455666 is 
if '%choice%'=='' ECHO "%choice%" is not valid please try again
if '%choice%'=='r' GOTO Repair
if '%choice%'=='s' GOTO Salvage
if '%choice%'=='b' GOTO Backup
if '%choice%'=='d' GOTO Disable
if '%choice%'=='v' GOTO View
if '%choice%'=='R' GOTO Repair
if '%choice%'=='S' GOTO Salvage
if '%choice%'=='B' GOTO Backup
if '%choice%'=='D' GOTO Disable
if '%choice%'=='V' GOTO View
if '%choice%'=='E' GOTO Enable 
if '%choice%'=='e' GOTO Enable
if '%choice%'=='c' GOTO Create
if '%choice%'=='C' GOTO Create
if '%choice%'=='t' GOTO Test
if '%choice%'=='T' GOTO Test
if '%choice%'=='tt' GOTO Test2
if '%choice%'=='TT' GOTO Test2
if '%choice%'=='Q' GOTO Exit
if '%choice%'=='q' GOTO Exit
if '%choice%'=='Te' GOTO Test3
if '%choice%'=='TE' GOTO Test3
if '%choice%'=='tE' GOTO Test3
if '%choice%'=='te' GOTO Test3

:Exit
ECHO.
net continue winmgmt
GOTO End2

:View 
GOTO End

:Disable
ECHO Disabling Winmgmt (WMI), re-start with "net start Winmgmnt /y" or use main menu
net stop Winmgmt /y
GOTO Begin

:Test
ECHO wmic process call create "notepad.exe"
wmic process call create "notepad.exe"
ECHO Test Complete
GOTO Begin

:Test2
ECHO DISABLE PROTECTION, UNPAUSE WINMGMT
ECHO net continue winmgmt
net continue winmgmt
ECHO wmic process call create "notepad.exe"
wmic process call create "notepad.exe"
ECHO UNPROTECTED Test Complete
GOTO Begin

:Test3
ECHO powershell.exe Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe
powershell Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe
ECHO Test Complete
GOTO Begin

:Create 
mkdir "%userprofile%\Documents\#WMI\"
ECHO copy wmi.bat "%userprofile%\Documents\#WMI\"  (Make sure batch name = wmi.bat, launch wmi.bat from within CMD)
ECHO SCHTASKS /Create /TN "WMI.bat" /TR "%userprofile%\Desktop\10\Scheduled Tasks\wmi.bat" /SC ONEVENT /RL Highest /EC Application /MO *[System[Provider[@Name='WSH']]]
copy wmi.bat "%userprofile%\Documents\#WMI\"
SCHTASKS /Create /TN "WMI.bat" /TR "%userprofile%\Desktop\10\Scheduled Tasks\wmi.bat" /SC ONEVENT /RL Highest /EC Application /MO *[System[Provider[@Name='WSH']]]
ECHO Scheduled Task Created
Pause
GOTO Begin

:Salvage
ECHO Salvaging WMI Repository, if consistent, skip repair
net continue winmgmt
winmgmt /salvagerepository
net pause winmgmt
PAUSE
GOTO Begin

:Backup
ECHO press any key to backup wmi repo "%userprofile%\Documents\#WMI\MyW10WMI.(backup).data
pause
ECHO.
ECHO.
net stop Winmgmt /y
winmgmt /backup "%userprofile%\Documents\#WMI\%DateTime:/=%_MyW10WMI.(backup).data"
ECHO net start Winmgmt /y & dependents
net start Winmgmt /y
ECHO Starting Hyper-V Virtual Machine Management
net start vmms
ECHO Starting VMware Authorization Service 
net start VMAuthdService 
ECHO Starting VMware USB Arbitration Service 
net start VMUSBArbService 
ECHO Starting VMware Workstation Server
net start VMwareHostd 
ECHO.
net pause winmgmt
ECHO backup completed!
Pause
GOTO Begin

:Repair
ECHO Back up AND Reset WMI Repository to Windows Fresh Install State? [make sure you know the concequences]
set /p repair=Y/N:
if '%repair%'=='Y' GOTO Repair2
if '%repair%'=='N' GOTO Begin
if '%repair%'=='y' GOTO Repair2
if '%repair%'=='n' GOTO Begin
:Repair2
ECHO.
ECHO Are you sure? Close window now (ctrl-c), or
Pause
net continue winmgmt
ECHO.
net stop Winmgmt /y
ECHO Saving to %userprofile%\Documents\#WMI\MyW10WMI.(restore.backup).data
winmgmt /backup "%userprofile%\Documents\#WMI\%DateTime:/=%_MyW10WMI.(restore.backup).data"
ECHO net start Winmgmt /y and dependents
net start Winmgmt /y
ECHO starting Hyper-V Virtual Machine Management
net start vmms /y
ECHO Starting VMware Authorization Service 
net start VMAuthdService 
ECHO Starting VMware USB Arbitration Service 
net start VMUSBArbService 
ECHO Starting VMware Workstation Server
net start VMwareHostd 
ECHO winmgmt /resetrepository
winmgmt /resetrepository
ECHO.
ECHO complete, return to menu
pause
GOTO Begin

:Enable 
ECHO Enabling WMI, net start Winmgmt /y and dependents
net start Winmgmt /y
ECHO Starting Hyper-V Virtual Machine Management
net start vmms /y
ECHO Starting VMware Authorization Service 
net start VMAuthdService 
ECHO Starting VMware USB Arbitration Service 
net start VMUSBArbService 
ECHO Starting VMware Workstation Server
net start VMwareHostd 

ECHO Return to main menu
pause
GOTO Begin

:End
explorer %userprofile%\Documents\#WMI
GOTO Begin

:End2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rugabunda