WMI Exec

The wmiexec command uses COM to execute a process on the localhost or a target host. Usually, WMI is executed via powershell or wmic.exe, but Microsoft provides COM DLLs which can be used to interact with COM objects. Badger provides set_wmiconfig, get_wmiconfig and reset_wmiconfig to configure the wmi namespace, domain, username and password to interact with remote system. The below figure shows an example of local process creation for the process notepad.exe.

The above figure shows that the parent process is different after creating the process, even though we did not do PPID Spoofing. The reason behind this is COM. When you use COM objects to interact with the WinAPI calls, most of the tasks are performed with WmiPrvSE.exe instead of your own process. A quick look at Sysmon Logs show that notepad.exe was indeed created by WmiPrvSE.exe.

And further going down the rabbit hole shows that WmiPrvSE.exe was launched by DCOM and there is no parent process for it as it was launched by the COM Server.

The WMIExec command can also be used for remote process creation and lateral movement. Below is an example of lateral movement over SMB without creating a new service on the target host. The below figure can be explained as follows:

  • Create a token for the remote host using make_token
  • Copy the executable to the target host (admin share: C$)
  • Configure the remote WMI DCOM credentials using the set_wmiconfig command. Note the instance here, its in this format: \\hostname\root\cimv2
  • Execute the process with WMI. Note that I am executing C:\smb_badger_x64.exe. Because when it gets executed, it would be executed as is on the remote host (vortexdc.darkvortex.corp in my case)
  • Connect to the remote named pipe with pivot_smb command

Note that processes on remote hosts are also created by the COM Server, so your badger would never be a parent process in this case (OPSEC much?).