T1047:Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve code execution. WMI is a Windows Administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.

Very awesome things we can do with wmic(Command-Line), in a local and/or remote manner.

Let's enumerate locally we can grab valued info such as Name, Manufacturer, Model, Domain and a Description

Environment

Users, Groups

Missing patches:

Execution of an XSL File

Execution, we can create a process and execute code

Wmic is proxy aware so it can also call xsl file from remote host that can contain our payloads. This is a great method to avoid logs as it is very uncommon to be used and OPSEC safe for environments.

PreviousExecution NextT1204: User Execution

Last updated 4 years ago

Was this helpful?