Need help with Invoke-WMILM?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

Cybereason
215 Stars 64 Forks GNU Affero General Public License v3.0 7 Commits 0 Opened issues

Services available

!
?

Need anything else?

Contributors list

# 769,602
6 commits
# 525,332
1 commit

Invoke-WMILM

This is a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class. The type of technique is determined by the "Type" parameter.

Parameters

  • Target - Name or IP of target machine
  • Type - The type of technique to use
  • Protocol - Decides between the DCOM and Wsman (WinRM) protocols as the underlying transport. Default is DCOM
  • Name - For techniques creating named objects (services, tasks etc.)
  • Command - Executable to run
  • CommandArgs - Arguments to the executable
  • CleanUp - an optional phase to remove artifacts created by the various techniques
  • Username
  • Password

Supported Techniques

  • DerivedProcess - Creates a class deriving from Win32_Process, and calls the Create method of that class
  • Service - Creates a service and runs it using WMI. Basically PSEXEC with different network traffic
  • Job - Creates an at.exe style scheduled task to run in 30 seconds. Does not work on Win8+, unless at.exe is enabled
  • Task - Creates an schtasks.exe style scheduled task and runs it. Works only on Win8+
  • Product - Runs an arbitrary MSI file from a given path (given by the Command parameter)
  • Provider - Creates a new provider with the command and arguments as the underlying COM object, and loads it

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.