Home

Welcome to the WMImplant wiki!

Running WMImplant

The first thing you will need to do is import the WMImpant.ps1 on the console that you are using (PowerShell, Beacon, Empire, Meterpreter, etc.). Importing the script is an exercise I feel comfortable leaving to the user.

After having imported WMImplant, you have two ways that you can use the tool, interactively or non-interactively. Using WMImplant in a non-interactive manner will allow you to script actions with WMImplant, and/or use it in a RAT of your choice.

How it works

WMImplant is a tool that's designed to completely use WMI. WMI is not only the mechanism for triggering actions on the targeted machine, but it is also the C2 channel itself. Where required, WMImplant stores data in WMI properties, but in one situation it stores data in the system registry. When interacting with WMI properties, WMImplant captures the original property value, modifies the value, and then restores the original value once it is complete. When interacting with the registry, WMImplant creates a new registry key, stores the data in the registry value, retrieves the data, and then removes the key. For specifics on where data storage is required, and how data is stored for each command, please review the respective commands in the Commands section.

Commands

This section will go over the different commands that WMImplant supports and how WMImplant performs each command.

change_user

The change_user command enables you to change the user context that you are currently running as. By default, WMImplant will run in the context of the user account that starts the tool. However, if you need to change the user account context you are running as, you can easily do it with the change_user command. WMImplant will prompt you to provide the new user account (DOMAIN\account) and password that you wish to authenticate with. From that point on, WMImplant will use the new account credentials (unless you use the change_user command again, or exit WMImplant).

Exit

This command exits WMImplant