^.^;

WMI Execution

Execute commands on remote Windows systems via DCOM/RPC. No file writes, no service creation. Stealthier than PSExec.

WMI (Windows Management Instrumentation) is a legitimate Windows administration protocol that attackers abuse for remote code execution and lateral movement.

Unlike PSExec which uses SMB, WMI uses DCOM/RPC (TCP 135, 49152-65535) to execute processes on remote systems without writing files or creating services.

IntermediatePhase 3: Lateral MovementInteractiveMITRE ATT&CK T1047

WMI Execution

Remote Code Execution via DCOM/RPC

Requires: Valid credentials • Difficulty: Intermediate • Impact: High

💻 Desktop Experience Available

View this module on desktop for an interactive WMI Execution lateral movement simulation.

WMI Execution (Windows Management Instrumentation) is a legitimate Windows administration protocol that attackers abuse for remote code execution and lateral movement. Unlike PSExec which uses SMB, WMI uses DCOM/RPC (TCP 135, 49152-65535) to execute processes on remote systems.

How WMI Works (Legitimate Use):

  1. Administrator connects to remote system via WMI (DCOM/RPC)
  2. WMI service (WinMgmt) authenticates request
  3. WMI executes Win32_Process.Create() method
  4. Process runs on remote system with specified credentials
  5. Output can be retrieved via WMI queries

Attack Exploit:

Attackers use WMI with compromised credentials to execute commands remotely. WMI execution leaves fewer forensic artifacts than PSExec—no file writes, no service creation. It's a "living off the land" technique that's harder to detect.

Why It's Effective: WMI is a core Windows component, always enabled. It uses different ports than SMB, potentially bypassing network restrictions. No files written to disk, no services created—makes detection more difficult than PSExec.

Legal & Ethical Warning

WMI Execution techniques should only be used in authorized penetration testing, red team engagements, or controlled lab environments. Unauthorized access to computer systems is illegal under CFAA and equivalent laws worldwide. Always obtain written permission before testing.

Interactive Simulation Mode

WMI Execution

Execute commands on remote Windows systems via DCOM/RPC. No file writes, no service creation. Stealthier than PSExec.

WMI Service (WinMgmt)

DCOM/RPC (TCP 135, 49152-65535)

Using credentials: CORP\admin

○ IDLE

Remote Command Executions via WMI

Mission Brief

WMI connects to remote systems via DCOM/RPC (TCP 135, 49152-65535), uses Win32_Process.Create() to execute commands, and retrieves output. No files written, no services created—stealthier than PSExec.

Attack Chain

  1. 1. Connect: DCOM/RPC connection to target (TCP 135)
  2. 2. Authenticate: WMI service validates credentials
  3. 3. Execute: Win32_Process.Create() runs command
  4. 4. Retrieve: Query WMI for process output
  5. 5. Cleanup: Process exits naturally (no artifacts)

Why It Works

  • Core Windows component: WMI is always enabled
  • No file writes: Unlike PSExec, no files copied to disk
  • No service creation: No Event ID 7045 (service creation)
  • Different protocol: Uses DCOM/RPC instead of SMB
  • Fewer artifacts: Leaves minimal forensic evidence

Advantages Over PSExec

WMI execution is stealthier than PSExec because it doesn't write files or create services. However, it requires DCOM/RPC access, which may be blocked by network segmentation.

OPSEC: Training only. Unauthorized access to production systems is a federal crime. WMI Execution is MITRE ATT&CK technique T1047.
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.