Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)
WMI List User Accounts
Supported Platforms: Windows
wmic useraccount get /ALL
WMI List Processes
Supported Platforms: Windows
wmic process get caption,executablepath,commandline
WMI List Software
Supported Platforms: Windows
wmic qfe get description,installedOn /format:csv
WMI List Remote Services
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| node | Ip Address | String | 192.168.0.1 |
| service_search_string | Name Of Service | String | sql server |
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
This test uses wmic.exe to execute a process on the local host.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process_to_execute | Name or path of process to execute. | String | calc.exe |
wmic process call create #{process_to_execute}
This test uses wmic.exe to execute a process on a remote host.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| node | Ip Address | String | 192.168.0.1 |
| process_to_execute | Name or path of process to execute. | String | calc.exe |
wmic /node:"#{node}" process call create #{process_to_execute}