Skip to main content

WMI

Required Privileges: Administrators

Windows Management Instrumentation (WMI) is Windows implementation of Web-Based Enterprise Management (WBEM), an enterprise standard for accessing management Information across devices. WMI allows Administrators to perform Standard Management Tasks that Attackers can abuse to perform Lateral Movement.


Connecting to WMI From Powershell

Before being able to connect to WMI using Powershell Commands, we need to create a PSCredential Object with our User and Password. We can store this Object in the $credential Variable.

$username = 'USERNAME';
$password = 'PASSWORD';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;


We can then proceed to establish a WMI Session using one of the Protocols DCOM - WSMAN.

  • DCOM: RPC over IP will be used for Connecting to WMI. This protocol uses port 135/TCP and ports 49152-65535/TCP
  • WSMAN: WinRM will be used for connecting to WMI. This protocol uses ports 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop



Installing MSI Packages

WMI Session Must be Established Before Running Invoke-CimMethod

MSI is a file format used for Installers. If we can copy an MSI Package to the Target System, we can then use WMI to attempt to install it for us. Once the MSI file is in the Target System, we can attempt to Install it by invoking the Win32_Product class through WMI.

Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\INSTALLER.msi"; Options = ""; AllUsers = $false}


Remote Process Creation

WMI Session Must be Established Before Running Invoke-CimMethod

We can Remotely Spawn a Process from Powershell by leveraging Windows Management Instrumentation (WMI) sending a WMI request to the Win32_Process class to Spawn the Process under the WMI Session.

$Command = "Command To Run";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}

Remote Service Creation

WMI Session Must be Established Before Running Invoke-CimMethod
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "ServiceName";
DisplayName = "ServiceName";
PathName = "Command To Run";
ServiceType = [byte]::Parse("16");
StartMode = "Manual"
}
# Run
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'ServiceName'"
Invoke-CimMethod -InputObject $Service -MethodName StartService

# Stop
Invoke-CimMethod -InputObject $Service -MethodName StopService

# Start
Invoke-CimMethod -InputObject $Service -MethodName Delete