Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line.
Supported Platforms: Windows
wmic useraccount get /ALL /format:csvAn adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line.
Supported Platforms: Windows
wmic process get caption,executablepath,commandline /format:csvAn adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed.
Supported Platforms: Windows
wmic qfe get description,installedOn /format:csvAn adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| node | Ip Address | String | 127.0.0.1 |
| service_search_string | Name Of Service | String | Spooler |
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process_to_execute | Name or path of process to execute. | String | notepad.exe |
wmic process call create #{process_to_execute}wmic process where name='#{process_to_execute}' delete >nul 2>&1This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| node | Ip Address | String | 127.0.0.1 |
| user_name | Username | String | DOMAIN\Administrator |
| password | Password | String | P@ssw0rd1 |
| process_to_execute | Name or path of process to execute. | String | notepad.exe |
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1