WMI for Pentesters: Windows Management Intrusion
WMI — Windows Management Instrumentation — is one of the most underrated tools for pentesters. It’s built into every modern Windows system and offers stealthy, scriptable access to everything from system info and processes to remote command execution and persistence.
If you’re not using WMI during post-exploitation or lateral movement, you’re leaving low-hanging fruit on the tree.
What is WMI?
WMI is Microsoft’s API for system management and monitoring. Think of it as a queryable interface to the internals of Windows, accessible locally or remotely.
You can:
- Query system details (users, software, patches)
- Execute commands remotely
- Set up persistence via event triggers
- Avoid detection when WinRM or PowerShell logging is tight
Tools That Use or Support WMI
- PowerShell
- Impacket (wmiexec.py, wmiquery.py)
- CrackMapExec
- SharpWMI
- PowerView
- Metasploit
Basic WMI Recon Commands
Get-WmiObject Win32_OperatingSystem
# Returns OS name, architecture, version, install date
Get-WmiObject Win32_ComputerSystem
# Lists machine name, manufacturer, logged-on user
Get-WmiObject Win32_UserAccount
# Lists all local user accounts
Get-WmiObject Win32_GroupUser
# Lists group memberships
Get-WmiObject Win32_Process
# Lists all running processes
Get-WmiObject Win32_Service | Where-Object {$_.State -eq 'Running'}
# Lists running services
Get-WmiObject Win32_LogicalDisk
# Lists disk partitions and free space
Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq $true}
# Displays IP addresses and DNS info
WMI for User & Security Enumeration
(Get-WmiObject Win32_ComputerSystem).UserName
# Get currently logged-in user
Get-WmiObject Win32_LogonSession | ForEach-Object {
$logonID = $_.LogonId
Get-WmiObject -Query "Associators of {Win32_LogonSession.LogonId=$logonID} Where AssocClass=Win32_LoggedOnUser Role=Dependent"
}
# List all users currently logged into the system
WMI for Remote Command Execution (Lateral Movement)
PowerShell (needs credentials and network access):
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami" -ComputerName TARGET -Credential $creds
# Executes whoami on the remote target
Using Impacket:
python3 wmiexec.py DOMAIN/user:pass@target
# Runs a semi-interactive remote shell using WMI
CrackMapExec:
cme smb target -u user -p pass --wmi "whoami"
# Executes WMI command remotely via SMB
WMI for Persistence (Fileless)
This is an advanced but powerful method. Create a WMI event subscription that triggers your payload when a specific event (like logon) occurs.
Tools to assist:
- WMImplant.ps1 (PowerShell)
- SharpWMI (C#)
- Manual setup using
Set-WmiInstanceand__EventConsumerclasses
Persistence via WMI is stealthy and hard to spot unless defenders are logging WMI activity with Sysmon or WMI Tracing.
Real-World Pentesting Use Cases
| Use Case | WMI Technique |
|---|---|
| OS Enumeration | Win32_OperatingSystem |
| Lateral Movement | Invoke-WmiMethod or wmiexec.py |
| AV/Defender Check | Win32_Product or AntiVirusProduct |
| User Discovery | Win32_UserAccount |
| Persistence | WMI event subscription |
| Evasion | Fileless command execution via WMI |
Final Tips
- WMI uses DCOM and is enabled by default on most systems.
- Admin rights are usually required for remote WMI access.
- It’s quieter than PowerShell remoting or PsExec, and less likely to trigger alarms.
- Can be used even when PowerShell is locked down or heavily monitored.
Suggested Labs to Practice
- TryHackMe: WMI Basics
- [Hack The Box: Boxes with Windows RCE vectors]
- Build a small Windows domain and practice
wmiexec.pyagainst it
Compromised low-priv Windows user → Enumerate with WMI → Remote command with
wmiexec.py→ Gain SYSTEM → Lateral movement via WMI again → AD enum.