Moving Laterally with WMI
PRACTICE ! PRACTICE ! PRACTICE !
WMI is Windows implementation of Web-Based Enterprise Management (WBEM), an enterprise standard for accessing management information across devices
In simpler terms, WMI allows administrators to perform standard management tasks that attackers can abuse to perform lateral movement in various ways
Connecting to WMI from Powershell
Before being able to connect to WMI using Powershell commands, we need to create a PSCredential object with our user
and password
This object will be stored in the $credential variable
We then proceed to establish a WMI session using either of the following protocols
DCOM => RPC over IP will be used for connecting to WMI - This protocol uses port
135/TCP
and ports49152-65535/TCP
, just as explained when using sc.exeWsman => WinRM will be used for connecting to WMI - This protocol uses ports
5985/TCP
(WinRM HTTP) or5986/TCP
(WinRM HTTPS)
To establish a WMI session from Powershell, we can use the following commands and store the session on the $Session variable
The
New-CimSessionOption
cmdlet is used to configure the connection options for the WMI session including the connection protocolThe options and credentials are then passed to the
New-CimSession
cmdlet to establish a session against a remote host
Remote Process Creation Using WMI
Ports
135/TCP, 49152-65535/TCP (DCERPC)
5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
Required Group Memberships =>Administrators
We can remotely spawn a process from Powershell by leveraging WMI, sending a WMI request to the Win32_Process class to spawn the process
Notice that WMI won't allow you to see the output of any command but will indeed create the required process silently - hence making it a blind attack
On legacy systems, the same can be done using wmic.exe from the CMD
Creating Services Remotely with WMI
Ports
135/TCP, 49152-65535/TCP (DCERPC)
5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
Required Group Memberships =>Administrators
We can create services with WMI through Powershell
To create a service called NxGService, we can use the following command
And then, we can get a handle on the service and start it with the following commands
Finally, we can stop and delete the service with the following commands
Creating Scheduled Tasks Remotely with WMI
Ports
135/TCP, 49152-65535/TCP (DCERPC)
5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
Required Group Memberships => Administrators
We can create and execute scheduled tasks by using some cmdlets available in Windows default installations
To delete the scheduled task after it has been used, we can use the following command
Installing MSI packages through WMI
Ports
135/TCP, 49152-65535/TCP (DCERPC)
5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
Required Group Memberships => Administrators
MSI is a file format used for installers in Windows Installations - If we can copy an MSI package to the target system, we can then use WMI to attempt to install it for us
Once the MSI file is in the target system, we can attempt to install it by invoking the Win32_Product class through WMI
We can achieve the same by us using wmic in legacy systems
Last updated