Lateral Movement with WMI and PowerShell Cradle via API

Description

Run a PowerShell cradle on a remote system using the WMI API.

Overview

This script leverages Windows Management Instrumentation (WMI) to start a process on the operator specified system using username and password or impersonation. An obfuscated PowerShell cradle is executed as either the specified user. The $Target parameter can be either hostname, FQDN, or IP.

Arguments

  • Target: The IP address or hostname of the system to run the cradle.
  • Username: The local or domain username to authenticate with.
  • Password: The password for the specified user.
  • Build: The Specter build identifier.

Dependencies

  • None

Operating Systems

  • Windows

Pre-Requisites

  • Valid administrator credentials for the target systems.
  • WMI service must be running on the remote system.
  • WMI must be allowed through the firewall.

Example Output

{
  "Lateral": {
    "Username": "[email protected]",
    "Build": "remote",
    "Payload": "ps_command",
    "PID": 29564,
    "Success": false,
    "Method": "WMI Process Call Create",
    "System": "192.168.1.103"
  }
]
Scroll to Top