These are my notes on FireEye's yara rules for it's red team's tools.
These are the public projects that I could identify to be directly associated with a tool:
Project | Source |
---|---|
AndrewSpecial | https://github.com/hoangprod/AndrewSpecial |
BloodHound | https://github.com/BloodHoundAD/BloodHound |
CobaltStrike | https://www.cobaltstrike.com/ |
DoHC2 | https://github.com/SpiderLabs/DoHC2 |
DotNetToJScript | https://github.com/tyranid/DotNetToJScript |
DueDLLigence | https://github.com/fireeye/DueDLLigence |
GadgetToJScript | https://github.com/med0x2e/GadgetToJScript |
Get-GPPAutologon | https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1 |
Get-GPPPassword | https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 |
GetDomainPasswordPolicy | https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp |
GetDomainPasswordPolicy | https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp |
GoRAT | https://github.com/Nikait/GoRAT |
Impacket | https://github.com/SecureAuthCorp/impacket |
InveighZero | https://github.com/Kevin-Robertson/InveighZero |
Invoke-WCMDump | https://github.com/peewpw/Invoke-WCMDump |
KeeFarce | https://github.com/denandz/KeeFarce |
Malleable-C2-Profiles | https://github.com/rsmudge/Malleable-C2-Profiles/tree/master/normal |
NET-Assembly-Inject-Remote | https://github.com/med0x2e/NET-Assembly-Inject-Remote |
NoAmci | https://github.com/med0x2e/NoAmci |
PayloadsAllTheThings | https://github.com/antonioCoco/PayloadsAllTheThings |
pupy | https://github.com/n1nj4sec/pupy |
RT-EWS | https://github.com/med0x2e/RT-EWS/ |
Rubeus | https://github.com/GhostPack/Rubeus |
RuralBishop | https://github.com/rasta-mouse/RuralBishop |
SafetyKatz | https://github.com/GhostPack/SafetyKatz |
Seatbelt | https://github.com/GhostPack/Seatbelt |
SharpDNS | https://github.com/x3419/SharpDNS |
SharPersist | https://github.com/fireeye/SharPersist |
SharpHound3 | https://github.com/BloodHoundAD/SharpHound3 |
SharpSploit | https://github.com/cobbr/SharpSploit |
SharpView | https://github.com/tevora-threat/SharpView |
SharPyShell | https://github.com/antonioCoco/SharPyShell |
SharpZeroLogon | https://github.com/nccgroup/nccfsas/tree/e78093a5c72a3f52e6805b54e4c2cfba1f9f87d7/Tools/SharpZeroLogon |
SmbExec | https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py |
WmiExec | https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py |
These are the tools with no public projects that I could identify to be directly associated with them:
- ALLTHETHINGS (maybe
antonioCoco/PayloadsAllTheThings
) - DSHELL
- IMPACKETOBF
- JUSTASK
- KEEPERSIST
- LNKSMASHER
- MATRYOSHKA
- MEMCOMP
- MOFCOMP
- NETSHSHELLCODERUNNER
- PGF
- PREPSHELLCODE
- PXELOOT
- REDFLARE
- RESUMEPLEASE
- REVOLVER
- SHARPGENERATOR
- SHARPIVOT
- SHARPPGREP
- SHARPSACK
- SHARPSCHTASK
- SHARPSECTIONINJECTION
- SHARPSTOMP
- SHARPUTILS
- SINFULOFFICE
- UNCATEGORIZED
- CredSnatcher
- sharpdacl
- sharpgopher
- sharpnativezipper
- sharpnfs
- sharppatchcheck
- sharpsqlclient
- sharptemplate
- sharptemplate
- sharpwebcrawler
- sharpziplibzipper
- WEAPONIZE
- WILDCHILD
- WMIRUNNER
- WMISPY
Relevant Sources
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1
Details
This tool is used to hunt for AD credentials and used via execute-assembly that looks for passwords in GPP, Autoruns and AD objects.typelibguid = "15745B9E-A059-4AF1-A0D8-863E349CD85D" strings: "LDAP://" "[GPP] Searching for passwords now..." "Searching Group Policy Preferences (Get-GPPPasswords + Get-GPPAutologons)!" "possibilities so far)..." "\groups.xml "Found interesting file:" "\x00GetDirectories\x00" "\x00DirectoryInfo\x00" "\ADPassHunt\" "\ADPassHunt.pdb" "Usage: .\ADPassHunt.exe" "[ADA] Searching for accounts with msSFU30Password attribute" "[ADA] Searching for accounts with userpassword attribute" "[GPP] Searching for passwords now"
Relevant Sources
- Maybe
https://github.com/antonioCoco/PayloadsAllTheThings
Details
typelibguid = "542ccc64-c4c3-4c03-abcd-199a11b26754"
Relevant Sources
https://www.cobaltstrike.com/
https://github.com/rsmudge/Malleable-C2-Profiles/tree/master/normal
Relevant Sources
https://github.com/GhostPack/Seatbelt
Relevant Sources
https://github.com/BloodHoundAD/BloodHound
Details
typelibguid = "1fff2aee-a540-4613-94ee-4f208b30c599"
Details
strings: $dlang1 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\utf.d" ascii wide $dlang2 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\file.d" ascii wide $dlang3 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\format.d" ascii wide $dlang4 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\base64.d" ascii wide $dlang5 = "C:\\D\\dmd2\\windows\\bin\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide $dlang6 = "\\..\\..\\src\\phobos\\std\\utf.d" ascii wide $dlang7 = "\\..\\..\\src\\phobos\\std\\file.d" ascii wide $dlang8 = "\\..\\..\\src\\phobos\\std\\format.d" ascii wide $dlang9 = "\\..\\..\\src\\phobos\\std\\base64.d" ascii wide $dlang10 = "\\..\\..\\src\\phobos\\std\\stdio.d" ascii wide $dlang11 = "Unexpected '\\n' when converting from type const(char)[] to type int" ascii wide
Relevant Sources
https://github.com/cobbr/SharpSploit
Details
typelibguid = "7760248f-9247-4206-be42-a6952aa46da2"
Relevant Sources
https://github.com/fireeye/DueDLLigence
Details
typelibguid = "a8bdbba4-7291-49d1-9a1b-372de45a9d88" / HackTool_MSIL_HOLSTER typelibguid = "73948912-cebd-48ed-85e2-85fcd1d4f560" / MSIL_Launcher_DUEDLLIGENCE
Relevant Sources
https://github.com/med0x2e/RT-EWS/
setapplication=.outlookapplication
application.createobject("shell.application")
classid="clsid:0006f063-0000-0000-c000-000000000046"
.shellexecute"certutil.exe","-urlcache-split-fhttp_payload
setapplication=.outlookapplication
application.createobject("shell.application")
classid="clsid:0006f063-0000-0000-c000-000000000046"
.shellexecute"powershell.exe","-nop-whidden-encodedcommandpowershell_encoded_payload
function get-mailinfo
if(!$psboundparameters.containskey('email') -and !$psboundparameters.containskey('password') -and !$psboundparameters.containskey('accountsfilename')) { get-help $myinvocation.mycommand return }
$pr_deleted_message_size_extended = new-object microsoft.exchange.webservices.data.extendedpropertydefinition(26267,` [microsoft.exchange.webservices.data.mapipropertytype]::long)
get-mailinfo
get-globaladdresslist
invoke-impersonatedauth
invoke-mailenum
invoke-generatehomepage
set-homepage
Details
strings: "\x00Asktgt\x00" "\x00Kerberoast\x00" "\x00HarvestCommand\x00" "\x00EnumerateTickets\x00" "[*] Action: " wide "\x00Fluffy.Commands\x00"
Relevant Sources
https://github.com/tyranid/DotNetToJScript
https://github.com/med0x2e/GadgetToJScript
Details
typelibguid = "AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9" binary template = b'\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\t\xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode.\r\r\n$\x00\x00\x00\x00\x00\x00\x00PE'code tidbits: "System.Text.ASCIIEncoding" "System.Security.Cryptography.FromBase64Transform" "System.IO.MemoryStream" "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" "Microsoft.XMLDOM" "Microsoft.Windows.ActCtx" "System.IO.MemoryStream" "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"
offsets in FireEye's internal LazyNetToJscriptLoader tool: b'\x18^\x9eS\x99]\x15\x1b\xd2\x9c\xd8\xdc\x9a\\x1d\x13\x1b\xd8Y\x19' "henlOZXRUb0pzY3JpcHRMb2Fk" - bad b64 string b'azyNetToJscriptLoade'
Relevant Sources
https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp
Details
typelibguid = "a5da1897-29aa-45f4-a924-561804276f08"
Relevant Sources
https://github.com/3gstudent/Homework-of-C-Language/blob/master/GetDomainPasswordPolicy.cpp
Details
typelibguid = "751a9270-2de0-4c81-9e29-872cd6378303"
function\s+?b64ToStream
(b,l)
ActiveXObject(
var enc
Dim enc
length, transform
Function\s+?b64Decode
(ByVal enc)
Dim xmlObj, nodeObj
Relevant Sources
https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py
\\127\.0\.0\.1\\.\$\\Windows\\Temp\\setupAPI\.dev\.log$
%CoMSpEC% /q /K echo
cmd.exe
services.exe
/q /K echo
2^>^&1
& del
\Temp\setupAPI.dev.log
\TEMP\install.bat
\Appdata\Local\Temp\install.bat
:\Windows\Temp\install.bat
>\s*\\\\127\.0\.0\.1\\.\$\\Windows\\Temp\\
2>&1
\\CurrentControlSet\\Services\\(Windows Update Control Service|Windows 10 Defender|Windows License Key Activation|Office 365 Proxy|Microsoft Security Center)\\ImagePath$
\\CurrentControlSet\\Services\\(OneDrive Sync Center|Background Action Manager|Secure Token Messaging Service|Windows Update)\\ImagePath$
%CoMSpEC% /q /K
services\Windows 10 Defender
services\Windows License Key Activation
services\Office 365 Proxy
services\Microsoft Security Center
services\OneDrive Sync Center
services\Background Action Manager
services\Secure Token Messaging Service
services\Windows Update
\Windows\Temp\setupAPI.dev.log
\Windows\Temp\setupAPI.dev.log
\/K\s*echo.*>\s*\\\\127\..* 2\^?>\^?&1
cmd.exe
windows\temp\install.bat
"%~dp0Setup.exe" /s /f
windows\temp\install.bat
/k
/q
class CMDEXEC
class RemoteShell
self.services_names
import random
self.__shell CoMSpEC
self.__serviceName
random.randint(len(self.services_names))
Relevant Sources
https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
^.:\\Windows\\[0-9]{10}[0-9a-f]{8}\.dat$
start
WmiPrvSE.exe
cmd.exe /Q /K
1\s*>\s*\\\\127\.0\.0\.1\\ADMIN\$\\[0-9]{10}[0-9a-f]{8}\.dat\s+2>&1$
\/Q\s*\/K.*1>\s*\\\\127\.0\.0\.1\\.*\\[0-9a-f]{18}\.dat.*2>&1
cmd.exe
wmiprvse.exe
cmd.exe
\/Q\s*\/K.*1\s*>\s*\\\\.*2>&1
\Svc_Block64
^[0-9a-f]{18}\.dat$
dat
windows
windows\temp
import random
class WMIEXEC
class RemoteShell
str(int(time.time())
random.randint(str(uuid.uuid4()).split()
self.__shell
cmd.exe
Relevant Sources
https://github.com/SecureAuthCorp/impacket
import random
class wmiexec
class remoteshell
class cmdexec
class remoteshell
self.services_names
import random
import random
class wmiexec
class remoteshell
Details
Impacket-Obfuscation is a slightly obfuscated version of the open source Impacket framework.
Relevant Sources
https://github.com/Kevin-Robertson/InveighZero
Details
typelibguid = "113ae281-d1e5-42e7-9cc2-12d30757baf1"
Details
typelibguid = "aa59be52-7845-4fed-9ea5-1ea49085d67a"
Relevant Sources
https://github.com/denandz/KeeFarce
Details
typelibguid = "17589ea6-fcc9-44bb-92ad-d5b3eea6af03"
Details
typelibguid = "1df47db2-7bb8-47c2-9d85-5f8d3f04a884"
Relevant Sources
- ``
import os
import argparse
random.choice(
binascii.hexlify(
"4c0000000114020000000000c0000000000000
copy /b /y
.lnk %appdata%\
&& cd %appdata% &&
ShellExec_RunDLL
Cmd
FOR
tokens=
findstr
.lnk
dir *si.lnk /b /a-d
tokens=1 delims=[]
lnk /b /a-d
findstr /r /c
DO cmd /c %D
SHELL32.DLL,ShellExec_RunDLL
%H IN ('dir *
/c copy /b /y *
System32\*rtutil.exe
&&echo 00>>
-f -enc""odehex
more +69
-f -decod""ehex
Details
drive serial = { 12 F7 26 BE } file droid guid = { BC 96 28 4F 0A 46 54 42 81 B8 9F 48 64 D7 E9 A5 } guid clsid = { E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D } header = { 4C 00 00 00 01 14 02 }
.pop(0)])
[1].replace('unsigned char buf[] = "'
binascii.hexlify(f.read()).decode(
os.system("cargo build {0} --bin {1}".format(
shutil.which('rustc')
~/.cargo/bin
Details
Process Hollowing
Details
typelibguid = "524d2687-0042-4f93-b695-5579f3865205"
instance of __EventFilter as $TimerFilter.{. Name = "
MSBuild.exe
userinit.exe
Relevant Sources
https://github.com/med0x2e/NET-Assembly-Inject-Remote
Details
typelibguid = "af09c8c3-b271-4c6c-8f48-d5f0e1d1cac6" typelibguid = "c5e56650-dfb0-4cd9-8d06-51defdad5da1" typelibguid = "e8fa7329-8074-4675-9588-d73f88a8b5b6"
Details
typelibguid = "49c045bc-59bb-4a00-85c3-4beb59b2ee12"
Relevant Sources
https://github.com/med0x2e/NoAmci
Details
typelibguid = "7bcccf21-7ecd-4fd4-8f77-06d461fd4d51" typelibguid = "ef86214e-54de-41c3-b27f-efc61d0accc3"
from lib.payload.techniques import
_shellcode_inject_base,
in payloadtemplate.subclasses():
payloadtemplate.variant(args.technique, args.template)
<project toolsversion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/
<usingtask
taskfactory="codetaskfactory"
<code type="class" language="cs">
public override bool execute
<#@ template language="c#" #>
<#+ namespace
<sequentialworkflowactivity x:class=
<codeactivity x:name=
<x:code>
<![cdata[
system.convert.frombase64string(
Details
strings: "\x00CreateThread\x00" "\x00ScriptObjectStackTop\x00" "\x00Microsoft.JScript\x00"
InstallUtil
:\Windows\System32\msiexec.exe
:\Windows\SysWOW64\msiexec.exe
^[A-Z]:\\Windows\\winsxs\\[^\\]+\\msiexec\.exe$
:\Program Files\KARDEX\Power Pick Global\InstallUtil.exe
:\Program Files (x86)\KARDEX\Power Pick Global\InstallUtil.exe
D:\\Applications\\[^\\]+\\Private\\[^\\]+\\.*\.exe
C:\Program Files (x86)\IBM\WinCollect Console\bin\WinCollectUserInterface.dll
\Microsoft.Workflow.Compiler.exe.lib
\UIAutomationClientsideProviders.dll.rsp
\AppData\sbscmp20_mscorwks.dll.rsp
\"C:\\Program Files( \(x86\))?\\
[-/]logfile=
[-/]u
/showcallstack
/user=
team\s*foundation
^.:\\BUILD\\[^\\]+\\Nant\\NAnt\.exe$
[-/]LogToConsole=false
[-/]LogToConsole=true
:\Program Files\
:\Program Files (x86)\
installutil
[-/]logfile=
[-/]u
[-/]LogToConsole=
Relevant Sources
https://github.com/n1nj4sec/pupy
https://github.com/BloodHoundAD/SharpHound3
Details
The PuppyHound variant of SharpHound. strings: "PuppyHound" "UserDomainKey" "LdapBuilder"
Details
The "PXE And Loot" (PAX) project. typelibguid = "78B2197B-2E56-425A-9585-56EDC2C797D6" strings: "_CorExeMain" "PXE" "InvestigateRPC" "DhcpRecon" "UnMountWim" "remote WIM image" "DISMWrapper" "findTFTPServer" "DHCPRequestRecon" "DHCPDiscoverRecon" "GoodieFile" "InfoStore" "execute"
Relevant Sources
https://github.com/Nikait/GoRAT
Details
Windows, MacOS, Powershell, and .NET modules of the GoRAT backdoor for RedFlare typelibguid = ""
Details
I believe a FireEye internal C2 tool that can deploy GoRAT, keyloggers, and downloaders. Buildable for Windows, Linux, possible MacOS, and as a Python script.
For Binary As
Range.Text
Environ(
CByte(
.SpawnInstance_
.Create(
Details
typelibguid = "a8bdbba4-7291-49d1-9a1b-372de45a9d88" typelibguid = "b214d962-7595-440b-abef-f83ecdb999d2"
Relevant Sources
https://github.com/GhostPack/Rubeus
Details
typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06"
Relevant Sources
https://github.com/GhostPack/SafetyKatz
Details
typelibguid = "8347E81B-89FC-42A9-B22C-F59A6A572DEC"
Relevant Sources
https://github.com/fireeye/SharPersist
Details
typelibguid = "9D1B853E-58F1-4BA5-AEFC-5C221CA30E48"
Details
typelibguid = "3f450977-d796-4016-bb78-c9e91c6a0f08"
wmiprvse.exe
svchost.exe
services.exe
taskeng.exe
cmd.exe
\sstart\s.*://
cmd.EXE /c start hpdiags://
start "C:\Program Files\internet explorer\iexplore.exe"
start iexplore http://
start curl "http://www.google.com"
start http://
rundll32.exe
url.dll\s*FileProtocolHandler.*://
3
\software\classes\
\shell\open\command\
Details
Sharpivot adds a new protocol handler to Windows in order to execute a specified malicious command. typelibguid = "3f450977-d796-4016-bb78-c9e91c6a0f08"
Details
typelibguid = "f65d75b5-a2a6-488f-b745-e67fc075f445"
Details
typelibguid = "1946808a-1a01-40c5-947b-8b4c3377f742"
Details
typelibguid = "0a64a5f4-bdb6-443c-bdc7-f6f0bf5b5d6c"
Details
typelibguid = "d77135da-0496-4b5c-9afe-e1590a4c136a"
Details
typelibguid = "41f35e79-2034-496a-8c82-86443164ada2" strings: "mscoree.dll" "timestompfile" "sharpstomp" "GetLastWriteTime" "SetLastWriteTime" "GetCreationTime" "SetCreationTime" "GetLastAccessTime" "SetLastAccessTime" "mscoree.dll" "SetCreationTime" "GetLastAccessTime" "SetLastAccessTime"
Details
typelibguid"2130bcd9-7dd8-4565-8414-323ec533448d" typelibguid"319228f0-2c55-4ce1-ae87-9e21d7db1e40" typelibguid"4471fef9-84f5-4ddd-bc0c-31f2f3e0db9e" typelibguid"5c3bf9db-1167-4ef7-b04c-1d90a094f5c3" typelibguid"ea383a0f-81d5-4fa8-8c57-a950da17e031"
Relevant Sources
https://github.com/antonioCoco/SharPyShell
Details
typelibguid = "f6cf1d3b-3e43-4ecf-bb6d-6731610b4866"
Relevant Sources
https://github.com/nccgroup/nccfsas/tree/e78093a5c72a3f52e6805b54e4c2cfba1f9f87d7/Tools/SharpZeroLogon
Details
typelibguid = "15ce9a3c-4609-4184-87b2-e29fc5e2b770"
Details
typelibguid = "9940e18f-e3c7-450f-801a-07dd534ccb9a"
Relevant Sources
https://github.com/hoangprod/AndrewSpecial
Details
typelibguid = "C6D94B4C-B063-4DEB-A83A-397BA08515D3" typelibguid = "3b5320cf-74c1-494e-b2c8-a94a24380e60" strings: "NtReadVirtualMemory" "WriteProcessMemory" "Minidump" "dumpType" "WriteProcessMemory" "bInheritHandle" "GetProcessById" "SafeHandle" "BeginInvoke" "EndInvoke" "ConsoleApplication1" "getOSInfo" "OpenProcess" "LoadLibrary" "GetProcAddress"
Relevant Sources
https://github.com/rasta-mouse/RuralBishop
Details
typelibguid = "FE4414D9-1D7E-4EEB-B781-D278FE7A5619" strings: "\x00NtMapViewOfSection\x00" "\x00NtOpenProcess\x00" "\x00NtAlertResumeThread\x00" "\x00LdrGetProcedureAddress\x00" "\x00DTrim.Execution.DynamicInvoke\x00" "\x00NtAlertResumeThread\x00" "\x00LdrGetProcedureAddress\x00" "\x00DTrim.Execution.DynamicInvoke\x00" "msg" "_CorExeMain" "RuralBishop" "KnightKingside" "ReadShellcode" "ReverseString" "DTrim" "QueensGambit" "Messages" "NtQueueApcThread" "NtAlertResumeThread" "NtQueryInformationThread"
Relevant Sources
https://github.com/SpiderLabs/DoHC2
https://github.com/tevora-threat/SharpView
https://github.com/x3419/SharpDNS
https://github.com/peewpw/Invoke-WCMDump
Details
The hxiocs mention using dism - searchprotocolhost - and werfault for process injection.
:\\Windows\\(SysWOW64|system32)\\TSTheme\.exe$
cmd.exe
powershell.exe
nslookup.exe
:\Windows\Temp\
:\ProgramData\
:\Users\Public\
\AppData\Roaming\
\AppData\Local\Temp\
start
running
Explorer.exe
:\\Windows\\(SysWOW64|system32)\\TSTheme\.exe$
start
running
Details
WildChild is a builder for a least HTAs - possibly .NET executables as well. typelibguid = "2e71d5ff-ece4-4006-9e98-37bb724a7780" strings: "processpath" "v4.0.30319" "v2.0.50727" "COMPLUS_Version" "FromBase64Transform" "MemoryStream" "entry_class" "DynamicInvoke" "Sendoff" "script language="
Details
typelibguid = "3a2421d9-c1aa-4fff-ad76-7fcb48ed4bff"
Details
typelibguid = "5ee2bca3-01ad-489b-ab1b-bda7962e06bb" strings: "_CorExeMain" "root\\cimv2" "root\\standardcimv2" "from MSFT_NetNeighbor" "from Win32_NetworkLoginProfile" "from Win32_IP4RouteTable" "from Win32_DCOMApplication" "from Win32_SystemDriver" "from Win32_Share" "from Win32_Process"