{"id":13840967,"url":"https://github.com/iomoath/SharpStrike","last_synced_at":"2025-07-11T10:30:47.878Z","repository":{"id":109691878,"uuid":"398721424","full_name":"iomoath/SharpStrike","owner":"iomoath","description":"A Post exploitation tool written in C# uses either CIM or WMI to query remote systems.","archived":false,"fork":false,"pushed_at":"2021-09-21T02:53:57.000Z","size":76015,"stargazers_count":196,"open_issues_count":0,"forks_count":51,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-05T17:26:19.514Z","etag":null,"topics":["cybersecurity","penetration-testing","penetration-testing-tools","redteam-tools","redteaming","winrm","wmi","wsman"],"latest_commit_sha":null,"homepage":"https://c99.sh/sharpstrike-post-exploitation-tool-cim-wmi-inside/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iomoath.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-08-22T05:25:36.000Z","updated_at":"2024-07-14T07:15:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"e319d7f8-5d67-47e0-84ad-325aa04c500f","html_url":"https://github.com/iomoath/SharpStrike","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iomoath%2FSharpStrike","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iomoath%2FSharpStrike/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iomoath%2FSharpStrike/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iomoath%2FSharpStrike/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iomoath","download_url":"https://codeload.github.com/iomoath/SharpStrike/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712957,"owners_count":17512523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","penetration-testing","penetration-testing-tools","redteam-tools","redteaming","winrm","wmi","wsman"],"created_at":"2024-08-04T17:01:00.471Z","updated_at":"2025-07-11T10:30:47.867Z","avatar_url":"https://github.com/iomoath.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\r\n\t\u003ch1\u003eSharpStrike\u003c/h1\u003e\r\n\t\u003cbr/\u003e\r\n\u003c/div\u003e\r\n\r\nSharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session.\r\n\r\nNote: Some commands will use PowerShell in combination with WMI, denoted with ** in the `--show-commands` command.\r\n\r\n## Introduction\r\n\r\nSharpStrike is a C# rewrite and expansion on [@Matt_Grandy_](https://twitter.com/Matt_Grandy_)'s [CIMplant](https://github.com/FortyNorthSecurity/CIMplant) and [@christruncer](https://twitter.com/christruncer)'s [WMImplant](https://github.com/FortyNorthSecurity/WMImplant). \r\n\r\nSharpStrike allows you to gather data about a remote system, execute commands, exfil data, and more. The tool allows connections using Windows Management Instrumentation, [WMI](https://docs.microsoft.com/en-us/windows/win32/wmisdk/about-wmi), or Common Interface Model, [CIM](https://www.dmtf.org/standards/cim) ; well more accurately Windows Management Infrastructure, [MI](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmi_v2/windows-management-infrastructure). CIMplant requires local administrator permissions on the target system.\r\n\r\n\r\n## Setup:\r\n\r\nIt's probably easiest to use the built version under Releases, just note that it is compiled in Debug mode. If you want to build the solution yourself, follow the steps below.\r\n\r\n1. Load SharpStrike.sln into Visual Studio\r\n2. Go to Build at the top and then Build Solution if no modifications are wanted\r\n\r\nThe Build will produce two versions of SharpStrike: GUI (WinForms) \u0026 Console application. Each version implements the same features.\r\n\r\n\r\n## Usage\r\n\r\n```\r\nConsole Version:\r\n\r\nSharpStrike.exe --help\r\nSharpStrike.exe --show-commands\r\nSharpStrike.exe --show-examples\r\nSharpStrike.exe -c ls_domain_admins\r\nSharpStrike.exe -c ls_domain_users_list\r\nSharpStrike.exe -c cat -f \"c:\\users\\user\\desktop\\file.txt\" -s [remote IP address]\r\nSharpStrike.exe -c cat -f \"c:\\users\\user\\desktop\\file.txt\" -s [remote IP address] -u [username] -d [domain] -p [password] -c \r\nSharpStrike.exe -c command_exec -e \"quser\" -s [remote IP address] -u [username] -d [domain] -p [password]\r\n\r\nGUI version:\r\n\r\nshow-commands\r\nshow-examples\r\nls_domain_admins\r\nls_domain_users_list\r\ncat -f \"c:\\users\\user\\desktop\\file.txt\" -s [remote IP address]\r\ncat -f \"c:\\users\\user\\desktop\\file.txt\" -s [remote IP address] -u [username] -d [domain] -p [password]\r\ncommand_exec -e \"quser\" [remote IP address] -u [username] -d [domain] -p [password]\r\n```\r\n\r\n## Functions\r\n\r\n### File Operations:\r\n cat - Reads the contents of a file\r\n copy - Copies a file from one location to another\r\n download** - Download a file from the targeted machine\r\n ls - File/Directory listing of a specific directory\r\n search - Search for a file on a user\r\n upload** - Upload a file to the targeted machine\r\n\r\n### Lateral Movement Facilitation\r\n command_exec** - Run a command line command and receive the output. Run with nops flag to disable PowerShell\r\n disable_wdigest - Sets the registry value for UseLogonCredential to zero\r\n enable_wdigest - Adds registry value UseLogonCredential\r\n disable_winrm** - Disables WinRM on the targeted system\r\n enable_winrm** - Enables WinRM on the targeted system\r\n reg_mod - Modify the registry on the targeted machine\r\n reg_create - Create the registry value on the targeted machine\r\n reg_delete - Delete the registry on the targeted machine\r\n remote_posh** - Run a PowerShell script on a remote machine and receive the output\r\n sched_job - Not implimented due to the Win32_ScheduledJobs accessing an outdated API\r\n service_mod - Create, delete, or modify system services\r\n ls_domain_users*** - List domain users \r\n ls_domain_users_list*** - List domain users sAMAccountName \r\n ls_domain_users_email*** - List domain users email address \r\n ls_domain_groups*** - List domain user groups \r\n ls_domain_admins*** - List domain admin users \r\n ls_user_groups*** - List domain user with their associated groups\r\n ls_computers*** - List computers on current domain\r\n\r\n\r\n#### Process Operations\r\n process_kill - Kill a process via name or process id on the targeted machine\r\n process_start - Start a process on the targeted machine\r\n ps - Process listing\r\n\r\n### System Operations\r\n active_users - List domain users with active processes on the targeted system\r\n basic_info - Used to enumerate basic metadata about the targeted system\r\n drive_list - List local and network drives\r\n share_list - List network shares\r\n ifconfig - Receive IP info from NICs with active network connections\r\n installed_programs - Receive a list of the installed programs on the targeted machine\r\n logoff - Log users off the targeted machine\r\n reboot (or restart) - Reboot the targeted machine\r\n power_off (or shutdown) - Power off the targeted machine\r\n vacant_system - Determine if a user is away from the system\r\n edr_query - Query the local or remote system for EDR vendors\r\n\r\n### Log Operations\r\n logon_events - Identify users that have logged onto a system\r\n\r\n * All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM)\r\n ** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)\r\n *** Denotes LDAP usage - \"root\\directory\\ldap\" namespace\r\n\r\n### Some Example Usage Commands\r\n\r\nConsole version:\r\n![SharpStrike-Console](Extras/SharpStrike-Usage.gif?raw=true)\r\n\r\n\r\nGUI version:\r\n![SharpStrike-GUI](Extras/SharpStrike-GUI.png?raw=true)\r\n\r\n\r\n\r\n## Solution Architecture\r\nSharpStrike is composed of three main projects\r\n1. ServiceLayer -- Provides core functionality and consumed by the UI layer\r\n2. Models -- Contains types, shared across all projects\r\n3. User Interface -- GUI/Console\r\n\r\n### ServiceLayer\r\n1. Connector.cs\r\n\u003e This is where the initial CIM/WMI connections are made and passed to the rest of the application\r\n\r\n2. ExecuteWMI.cs\r\n\u003e All function code for the WMI commands\r\n\r\n3. ExecuteCIM.cs\r\n\u003e All function code for the CIM (MI) commands\r\n\r\n\r\n\r\n\r\n### Read more\r\n[CIMplant Part 1: Detection of a C# Implementation of WMImplant](https://fortynorthsecurity.com/blog/cimplant-part-1-detections/)\r\n\r\n[WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell](https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html)\r\n\r\n[SharpStrike | Post-exploitation tool | CIM \u0026 WMI Inside](https://c99.sh/sharpstrike-post-exploitation-tool-cim-wmi-inside/)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiomoath%2FSharpStrike","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiomoath%2FSharpStrike","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiomoath%2FSharpStrike/lists"}