SprayWMI
SprayWMI is a method for mass spraying Unicorn PowerShell injection to CIDR notations. The initial WMI communications use TCP port 135 and afterwards a random port is negotiated. Since WMI and RPC services are often used for remote administration and administration tools, it is common to see these ports open and unfiltered on internal networks.
https://github.com/trustedsec/spraywmi