WMI (Windows Management Instrumentation) is a service that is installed and enabled by default since Windows 2000. It provides administrators the ability to perform a large number of actions on systems they control, ranging from system monitoring, starting or stopping processes, managing system services, file operations, and more. This is one of a series of blog posts which will document how to perform a variety of administrative actions that utilize WMI via PowerShell.
For this blog post, we’re going to copy a file stored on a system that we’re targeting. There’s multiple reasons why an administrator, or attacker, would want to copy files. In order to do this, we’re going to use two PowerShell cmdlets, Get-WMIObject and Invoke-WMIMethod. As with nearly all WMI use cases, this will require you to have administrative rights on the system that you are targeting.
Get-WMIObject cmdlet Command
The Get-WMIObject cmdlet will return an object that you can pass into Invoke-WMIObject to invoke the copy method on. When running the Get-WMIObject cmdlet, you will need to use the CIM_LogicalFile class and utilize a filter based on the path to the file that you want to copy. If you plan on targeting a remote system, you will need to use the ComputerName parameter. Additionally, if you are not running in the context of an account with local admin rights on the targeted system, you will need to provide a PSCredential object with the proper credentials to the Credential parameter. An example command would be:
$compfile = Get-WMIObject -Class CIM_LogicalFile -Filter ‘Name = “C:\\Users\\christruncer\\Downloads\\passwords.xlsx”‘ -Computername 192.168.1.15
Invoke-WMIMethod cmdlet Command
The next step is to use the Invoke-WMImethod cmdlet to copy the file. The $compfile variable is going to be passed into the Invoke-WMImethod cmdlet, specifically the InputObject parameter. The other required parameters are specifying copy as the name of the method, and passing the location that the file should be copied to in the ArgumentList parameter. A sample command would appear similar to the following:
Invoke-WMIMethod -InputObject $compfile -Name Copy -ArgumentList “C:\Users\ctruncer\Desktop\copiedpasswords.xlsx”
A screenshot of successfully coping a file would look similar to the following screenshot:
How Copy Files With WMImplant
This copy functionality is also built in to WMImplant. You can find this within the file operations functionality. You should see something similar to the following when copying a file via WMImplant:
I hope that this helps document how to copy a file via WMI and WMImplant. Are you interested in learning more about WMImplant? Check out our post “An Introduction to WMImplant Post-Exploitation” and, of course, if you have any questions at all, please feel free to contact us at FortyNorth Security.