It is a post-exploitation tool that uses the WMI Event Filter and MSBuild execution to allow for lateral movement.
Currently employed:
- Creates a Remote WMI Class 2. Adds Shellcode as a property value to the previously built Fake WMI Class 3. Creates a WMI Event Filter that fires when the powershell.exe process is started
- It uses LogFileEventConsumer to upload MSBuild Payload into a remote system when an event is triggered (A WMI Consumer type to write Log Files)
Finally, run Win32 Process. Create a script to contact MSBuild from afar.
Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purpose
Download Link: https://github.com/pwn1sher/WMEye