Invoke-WMILM: acheive authenticated remote code execution via WMI
Invoke-WMILM
This is a PoC script for various methods to achieve authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the “Type” parameter.
Supported Techniques
- DerivedProcess – Creates a class deriving from Win32_Process, and calls the Create method of that class
- Service – Creates a service and runs it using WMI. Basically PSEXEC with different network traffic
- Job – Creates an at.exe style scheduled task to run in 30 seconds. Does not work on Win8+, unless at.exe is enabled
- Task – Creates a schtasks.exe style scheduled task and runs it. Works only on Win8+
- Product – Runs an arbitrary MSI file from a given path (given by the Command parameter)
- Provider – Creates a new provider with the command and arguments as the underlying COM object, and loads it
Download
git clone https://github.com/Cybereason/Invoke-WMILM.git
Use
Parameters
- Target – Name or IP of a target machine
- Type – The type of technique to use
- Protocol – Decides between the DCOM and Wsman (WinRM) protocols as the underlying transport. Default is DCOM
- Name – For techniques creating named objects (services, tasks etc.)
- Command – Executable to run
- CommandArgs – Arguments to the executable
- CleanUp – an optional phase to remove artefacts created by the various techniques
- Username
- Password
Copyright (C) 2018 Cybereason
Source: https://github.com/Cybereason/
