SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session.
Note: Some commands will use PowerShell in combination with WMI, denoted with ** in the
SharpStrike allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, WMI, or Common Interface Model, CIM ; well more accurately Windows Management Infrastructure, MI. CIMplant requires local administrator permissions on the target system.
It's probably easiest to use the built version under Releases, just note that it is compiled in Debug mode. If you want to build the solution yourself, follow the steps below.
- Load SharpStrike.sln into Visual Studio
- Go to Build at the top and then Build Solution if no modifications are wanted
The Build will produce two versions of SharpStrike: GUI (WinForms) & Console application. Each version implements the same features.
Console Version:SharpStrike.exe --helpSharpStrike.exe --show-commandsSharpStrike.exe --show-examplesSharpStrike.exe -c ls_domain_adminsSharpStrike.exe -c ls_domain_users_listSharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address]SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password] -c SharpStrike.exe -c command_exec -e "quser" -s [remote IP address] -u [username] -d [domain] -p [password]GUI version:show-commandsshow-examplesls_domain_adminsls_domain_users_listcat -f "c:\users\user\desktop\file.txt" -s [remote IP address]cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password]command_exec -e "quser" [remote IP address] -u [username] -d [domain] -p [password]
cat - Reads the contents of a filecopy - Copies a file from one location to anotherdownload** - Download a file from the targeted machinels - File/Directory listing of a specific directorysearch - Search for a file on a userupload** - Upload a file to the targeted machine
Lateral Movement Facilitation
command_exec** - Run a command line command and receive the output. Run with nops flag to disable PowerShelldisable_wdigest - Sets the registry value for UseLogonCredential to zeroenable_wdigest - Adds registry value UseLogonCredentialdisable_winrm** - Disables WinRM on the targeted systemenable_winrm** - Enables WinRM on the targeted systemreg_mod - Modify the registry on the targeted machinereg_create - Create the registry value on the targeted machinereg_delete - Delete the registry on the targeted machineremote_posh** - Run a PowerShell script on a remote machine and receive the outputsched_job - Not implimented due to the Win32_ScheduledJobs accessing an outdated APIservice_mod - Create, delete, or modify system servicesls_do main_users*** - List domain users ls_domain_users_list*** - List domain users sAMAccountName ls_domain_users_email*** - List domain users email address ls_domain_groups*** - List domain user groups ls_domain_admins*** - List domain admin users ls_user_groups*** - List domain user with their associated groupsls_computers*** - List computers on current domain
process_kill - Kill a process via name or process id on the targeted machineprocess_start - Start a process on the targeted machineps - Process listing
active_users - List domain users with active processes on the targeted systembasic_info - Used to enumerate basic metadata about the targeted systemdrive_list - List local and network drivesshare_list - List network sharesifconfig - Receive IP info from NICs with active network connectionsinstalled_programs - Receive a list of the installed programs on the targeted machinelogoff - Log users off the targeted machinereboot (or restart) - Reboot the targeted machinepower_off (or shutdown) - Power off the targeted machinevacant_system - Determine if a user is away from the systemedr_query - Query the local or remote system for EDR vendors
logon_events - Identify users that have logged onto a system* All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM)** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)*** Denotes LDAP usage - "root\directory\ldap" namespace
Some Example Usage Commands
SharpStrike is composed of three main projects
- ServiceLayer -- Provides core functionality and consumed by the UI layer
- Models -- Contains types, shared across all projects
- User Interface -- GUI/Console
This is where the initial CIM/WMI connections are made and passed to the rest of the application
All function code for the WMI commands
All function code for the CIM (MI) commands