SharpStrike | Post-exploitation tool | CIM & WMI Inside

Introduction

SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user’s session.

This project is a rewrite and expansion on @Matt_Grandy_ CIMplant & @christruncer WMImplant

SharpStrike allows you to gather data about a remote system, execute commands, exfiltrate data, and more. The tool has capabilities connecting using Windows Management Instrumentation, WMI or Common Interface Model, CIM; more accurately, Windows Management Infrastructure, MI. SharpStrike requires local administrator permissions on the target system.

Setup

The source code is available on the Github repository:

https://github.com/iomoath/SharpStrike

  1. Load SharpStrike.sln in Visual Studio.
  2. Navigate to Build at the top and then Build Solution if no modifications are needed.

The Build will produce two versions of SharpStrike: GUI (WinForms) & Console application. Each version implements the same features.

At the time of writing this post, the GUI version does not have special features. I plan to add more features in future releases.

Usage

Console Version:

SharpStrike.exe --help
SharpStrike.exe --show-commands
SharpStrike.exe --show-examples
SharpStrike.exe -c ls_domain_admins
SharpStrike.exe -c ls_domain_users_list
SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address]
SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password] -c 
SharpStrike.exe -c command_exec -e "quser" -s [remote IP address] -u [username] -d [domain] -p [password]


GUI version:

show-commands
show-examples
ls_domain_admins
ls_domain_users_list
cat -f "c:\users\user\desktop\file.txt" -s [remote IP address]
cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password]
command_exec -e "quser" [remote IP address] -u [username] -d [domain] -p [password]

Functions

File Operations:

cat                          -  Reads the contents of a file
copy                         -  Copies a file from one location to another
download**                   -  Download a file from the targeted machine
ls                           -  File/Directory listing of a specific directory
search                       -  Search for a file on a user
upload**                     -  Upload a file to the targeted machine

Lateral Movement Facilitation:

command_exec**               -  Run a command line command and receive the output. Run with nops flag to disable PowerShell
disable_wdigest              -  Sets the registry value for UseLogonCredential to zero
enable_wdigest               -  Adds registry value UseLogonCredential
disable_winrm**              -  Disables WinRM on the targeted system
enable_winrm**               -  Enables WinRM on the targeted system
reg_mod                      -  Modify the registry on the targeted machine
reg_create                   -  Create the registry value on the targeted machine
reg_delete                   -  Delete the registry on the targeted machine
remote_posh**                -  Run a PowerShell script on a remote machine and receive the output
sched_job                    -  Not implimented due to the Win32_ScheduledJobs accessing an outdated API
service_mod                  -  Create, delete, or modify system services
ls_domain_users***           - List domain users                                 
ls_domain_users_list***      - List domain users sAMAccountName                  
ls_domain_users_email***     - List domain users email address                   
ls_domain_groups***          - List domain user groups                           
ls_domain_admins***          - List domain admin users                           
ls_user_groups***            - List domain user with their associated groups

Process Operations:

process_kill                 -  Kill a process via name or process id on the targeted machine
process_start                -  Start a process on the targeted machine
ps                           -  Process listing

System Operations:

active_users                 -  List domain users with active processes on the targeted system
basic_info                   -  Used to enumerate basic metadata about the targeted system
drive_list                   -  List local and network drives
ifconfig                     -  Receive IP info from NICs with active network connections
installed_programs           -  Receive a list of the installed programs on the targeted machine
logoff                       -  Log users off the targeted machine
reboot (or restart)          -  Reboot the targeted machine
power_off (or shutdown)      -  Power off the targeted machine
vacant_system                -  Determine if a user is away from the system
edr_query                    -  Query the local or remote system for EDR vendors

Log Operations

logon_events                 -  Identify users that have logged onto a system
* All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM)

** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)
*** Denotes LDAP usage - "root\directory\ldap" namespace

Example Usage Commands

SharpStrike Console Version
SharpStrike GUI Version

Solution Architecture

SharpStrike is composed of three main projects:

  1. Service Layer — Provides core functionality and consumed by the UI layer.
  2. Models — Contains types, shared across all projects
  3. User Interface — GUI/Console

Service Layer – Core classes

1. Connector.cs

This is where the initial CIM/WMI connections are made and passed to the rest of the application

2. ExecuteWMI.cs

All function code for the WMI commands

3. ExecuteCIM.cs

All function code for the CIM (MI) commands

More on CIMplant & WMIplant

Leave a Reply

Your email address will not be published. Required fields are marked *