An Introduction to WMImplant Post-Exploitation

Up to this point in time, I’ve explained in previous talks how WMImplant can be useful when attempting to operate on Device Guard protected systems. If the entire environment is Device Guard protected, you will first need to get code execution, but once you have it, WMImplant can help. However, I’ve not really talked or documented how WMImplant can also be useful in environments that don’t utilize Device Guard. This post aims to cover how WMImplant can help your assessments even if the customer only has a Windows 7 environment.

The first requirement to using WMImplant is identifying where the account you are using/abusing has local administrative rights. Since we are targeting Windows machines which aren’t protected by Device Guard, Constrained Language Mode isn’t going to restrict the PowerShell scripts that are executed on the system. In this case, an easy method to identify where your current account has local administrative rights is to use PowerView‘s Find-LocalAdminAccess function. Once you run this cmdlet, its output will contain the different systems where you have local admin rights.

Local Admin Access

While the above image from a lab is slightly obfuscated, it shows that there is a single system where the current user account had local admin rights. There are many different methods that you can use to validate local admin access on a system

  • dir \\IPADDRESS\C$
  • schtasks /query /s ipaddress
  • etc.

You can also use this tool to perform a quick check to ensure you not only have local administrative rights, but also to obtain a list of processes that are running on the targeted system. You can use this information to identify security software on your target and modify your actions to avoid detection. This is tested with the following command:

Invoke-WMImplant -PS -ComputerName IPADDRESS/HOSTNAME

Process Listing

As shown in the image above, we not only verified that the current user account has administrative privileges on the 192.168.202.60 system, but we also found splunk running on it as well.

Another useful piece of information that could help on assessments is finding what users are logged into each system. The “Active Users” command will enumerate owners of running processes on the targeted system, de-duplicate the accounts, and then display the results to the console. The following command will return active user accounts:

Invoke-WMImplant -ActiveUsers -ComputerName IPADDRESS

Active User Accounts

WMImplant has the ability to pull a significant amount of data from any system, but two of the more useful commands that may help are the “gen_cli” and “change_user” commands. Let’s cover both of these.

The “gen_cli” Command

WMImplant has a large number of commands it can run, and many options are passed into the different commands. As a result, it can be a bit hard to remember every command, or any required option for each command. The “gen_cli” command will be your best friend. When you run this tool without any parameters, it will start an interactive menu. From the menu, type “gen_cli”.

Generating a Command Line Command

It will then ask a series of questions, such as:

  • What command do you want to run?
  • Do you want to specify the user account used to execute the command?
  • Do you want to run the command against a single system, or against multiple systems?

Once you’ve answered all of the questions, WMImplant will provide the command line command that you can use to run it in a non-interactive manner.

Command Line Command

The “change_user” Command

One of the questions that WMImplant asks when generating a command is if you want to specify the user account used to execute a command. WMImplant gives you the ability to change the user account you are using to authenticate to remote machines without having to log in as the user account you want to use, or without needing runas. If using WMImplant interactively, just select the “change_user” command, and enter the username and password of the account you want to use. WMImplant will create a PSCredential object with the provided credentials for all commands going forward (unless you change the user account again, or exit WMImplant).

Changing Username

I hope this post helps provide some insight into how WMImplant can help on your assessments. WMImplant has a large number of features which I’ve not yet gone over, so I encourage you to explore other functionality. If there’s anything we can do at ForthNorth Security to help you as well, don’t hesitate to contact us!