.. / Win32_Service

Represents a service on a computer system running Windows

Functions:	Execute Processes
Type:	WMI
Toolsets:	Builtin CIMSession

Execute

Start service

$tssvc = Get-CimInstance -Filter 'Name="TermService"' -ClassName Win32_Service -CimSession $s
$tssvc
$tssvc | Invoke-CimMethod -MethodName StartService

Comments

Create CimSession $s using New-CimSession
Namespace: ROOT\Cimv2

Mitre Att&ck
T1569.002

Create new service

Invoke-WmiMethod -Class Win32_Service -Name Create -ArgumentList $false,"Print Spooler (x64)",([byte]1),$null,$null,"spoolsv64","C:\Windows\System32\cmd.exe /c powershell -e bHM=",$null,([byte]16),"Manual","NT AUTHORITY\SYSTEM",""

Comments
Create CimSession $s using New-CimSession

Mitre Att&ck
TA0002

Processes

List services

Get-CimInstance -ClassName Win32_Service -CimSession $s

Usecase
Reconnaissance on installed services

Comments
Create CimSession $s using New-CimSession

Obtain a specific service instance

Get-CimInstance -Filter 'Name="TermService"' -ClassName Win32_Service -CimSession $s

Usecase
Start or stop a service

Comments
Create CimSession $s using New-CimSession

Updated: 2023-07-01

Contributor: Arris Huijgen (bitsadmin)