WMI is commonly employed to execute and automate administrative tasks in Windows, including interactions with remote computers. An executable (wmic.exe) is included in the Windows operating system to perform these remote administrative tasks, or the same Windows APIs can be utilized by PowerShell or other scripting languages. This executable has been re-implemented in the Impacket suite.

By utilizing either the wmic.exe executable or Impacket's wmiexec, your command inputs are executed within a CMD.EXE process, and the output is stored in a temporary file within the ADMIN$ share of the remote machine. This temporary file can be identified within the ADMIN$ share by searching for a filename beginning with "__+TIMESTAMP".

The CMD.exe process employed becomes a child process of WmiPrvSe.exe on the currently compromised system. If the target system is under monitoring, a Security Operations Center (SOC) might detect malicious activity due to the creation of this process.

Once the threads of the process finish their tasks, the process terminates, and the output is written into the temporary file. Subsequently, the output stored in the temporary file is returned to our machine via SMB.

python wmiexec.py [domain]/[user]@[target-host]

wmic /node:<IP> /user:<DOMAIN>\<USERNAME> /password:<PASSWORD> process call create “calc.exe”

Detection :

When binaries are executed via WMI, they become child processes of WmiPrvSE.exe. Therefore, it's possible to search for Process Create events where WmiPrvSE is the parent process. This holds true even if you employ WMI to execute a one-liner PowerShell command.

• For event logs generated by WMIExec on the remote machine: Event logs generated (to establish communication and execute a single command, then exit WMIExec)

  • Security event IDs: 4672 (Special privileges assigned to new logon), 4624 (Successful logon), 4634 (Logoff).

References