MalwareUsed by 1 actor

Invoke-WMIExec

Invoke-WMIExec is a PowerShell-based remote execution tool used to execute commands on remote Windows systems via WMI and DCOM, including with elevated privileges. In the provided reporting, Cisco Talos observed the China-linked threat actor UAT-8837 using Invoke-WMIExec as part of post-compromise operations against critical infrastructure targets in North America since at least 2025. Talos reported that when Impacket-based tooling was detected and blocked, the actor downloaded Invoke-WMIExec.ps1 as an alternate remote-execution mechanism, and cycled among related tools including Impacket, GoExec, and SharpWMI to evade detection. The tool was used after initial access obtained through compromised credentials or exploitation of vulnerable servers, including activity linked to the Sitecore ViewState deserialization zero-day CVE-2025-53690. Within these intrusions, Invoke-WMIExec supported hands-on-keyboard activity such as remote command execution during reconnaissance, credential harvesting, and lateral movement. The content does not provide standalone IOCs specific to Invoke-WMIExec beyond the script name Invoke-WMIExec.ps1 and its use over WMI/DCOM.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAT-8837

Impacket, Invoke-WMIExec, GoExec, SharpWMI – Execute commands on remote systems via WMI and DCOM; the actor cycles through the tools when detection blocks execution

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Lateral Movement

1 technique

T1550.002Pass the HashEvidence1

T+15 минут. Lateral movement. Через штатный RMM-канал (агент BeyondTrust на целевых хостах) или через классические техники: Pass the Hash (T1550.002): NTLM-хеш из предыдущего шага реплеируется для аутентификации по SMB (порт 445) или WMI (порт 135).

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

bleeping computerNews

Jan 16, 2026

China-linked hackers exploited Sitecore zero-day for initial access

A remote execution utility leveraging WMI for command execution on remote Windows systems.

talos intelligence blogNews

Jan 15, 2026

UAT-8837 targets critical infrastructure sectors in North America

PowerShell-based WMI remote execution utility used to execute commands on remote systems, often as an alternative to Impacket tooling.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.