# WMIexec / WMI {% hint style="warning" %} Administrator rights on the target machine are mandatory. {% endhint %} WMI is commonly employed to execute and automate administrative tasks in Windows, including interactions with remote computers. An executable (wmic.exe) is included in the Windows operating system to perform these remote administrative tasks, or the same Windows APIs can be utilized by PowerShell or other scripting languages. This executable has been re-implemented in the Impacket suite. By utilizing either the wmic.exe executable or Impacket's wmiexec, your command inputs are executed within a CMD.EXE process, and the output is stored in a temporary file within the ADMIN$ share of the remote machine. This temporary file can be identified within the ADMIN$ share by searching for a filename beginning with "\_\_+TIMESTAMP". The CMD.exe process employed becomes a child process of `WmiPrvSe.exe` on the currently compromised system. If the target system is under monitoring, a Security Operations Center (SOC) might detect malicious activity due to the creation of this process. Once the threads of the process finish their tasks, the process terminates, and the output is written into the temporary file. Subsequently, the output stored in the temporary file is returned to our machine via SMB. ![](/files/5nsDcx69J0PxyCG13LUs) {% tabs %} {% tab title="Impacket wmiexec" %} ```python python wmiexec.py [domain]/[user]@[target-host] ``` {% endtab %} {% tab title="WMI" %} ```python wmic /node: /user:\ /password: process call create “calc.exe” ``` {% endtab %} {% endtabs %} ## Detection : When binaries are executed via WMI, they become child processes of `WmiPrvSE.exe`. Therefore, it's possible to search for Process Create events where WmiPrvSE is the parent process. This holds true even if you employ WMI to execute a one-liner PowerShell command. * For event logs generated by WMIExec on the remote machine: Event logs generated (to establish communication and execute a single command, then exit WMIExec) * Security event IDs: `4672` (Special privileges assigned to new logon), `4624` (Successful logon), `4634` (Logoff). ## References {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.hacktive.bebzounette.com/active-directory/lateral-movement/code-execution/wmiexec-wmi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.