Home

Awesome

#WMIOps

WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It's designed primarily for use on penetration tests or red team engagements.

This is my first PowerShell script, so I am sure there's things that could have been done better. Please submit a request for anything that could be made more efficient and I'd be happy to look at it, and learn from it :).

Developed by @christruncer

Thanks to: @mattifestation for your major work in this area (Posh and WMI), @obscuresec, @enigma0x3, @424f424f, @xorrior, and @sixdub for having already solved a lot of PowerShell problems and publishing your code to let me, and others, learn from it @harmj0y - for helping to mentor me from the beginning @evan_Pena2003 - For your help with code reviews and teaching me what to look into and learn

WMIOps Functions:

Process Functions

Invoke-ExecCommandWMI               -   Executes a user specified command on the target machine
Invoke-KillProcessWMI               -   Kills a process (via process name or ID) on the target machine
Get-RunningProcessesWMI             -   Returns all running processes from the target machine

User Operations

Find-ActiveUsersWMI                 -   Checks if a user is active at the desktop on the target machine (or if away from their machine)
Get-ProcessOwnersWMI                -   Returns all accounts which have active processes on the target system

Host Enumeration

Get-SystemDrivesWMI                 -   Lists all local and network connected drives on target system
Get-ActiveNICSWMI                   -   Lists all NICs on target system with an IP address

System Manipulation Operations

Invoke-CreateShareandExecute        -   Creates a share, copies file into it, uses WMI to invoke the script on the target system, from the local system, via UNC path
Invoke-RemoteScriptWithOutput       -   Executes a powershell script in memory on the target host via WMI and returns the output
Invoke-SchedJobManipulation         -   Allows you to list, delete, or create jobs on a system over WMI
Invoke-ServiceManipulation          -   Allows you to start, stop, create, or delete services on a targeted system over WMI
Invoke-PowerOptionsWMI              -   Force logs off all users, reboots, or shuts down targeted system

File Operations

Invoke-DirectoryListing             -   Lists files/directories within a user specfied directory over WMI
Get-FileContentsWMI                 -   Reads the contents of a user specified file on a target system and displays the contents
Find-UserSpecifiedFileWMI           -   Search for a file (wildcard supported) on a target system
Invoke-FileTransferOverWMI          -   Uploads or Downloads files to/from the target machine over WMI

Original blog post documenting release - https://www.christophertruncer.com/introducing-wmi-ops/