Windows management instrumentation services

Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. You don't need to download or install a specific software development SDK in order to create scripts or applications for WMI.

However, there are some WMI administrative tools that developers find useful. For more information, see the Downloads section in Further information. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Wmiexec offers a workable pseudo-shell experience, where for each command entered on the client-side, it directly launches a separate shell on the target machine to run the command.

Both psexec and smbexec use — see my previous post — Windows Services to launch commands on the remote system. Smbexec is a little stealthier since it quickly creates and then deletes a service, whereas psexec leaves the telltale service around.

Keep in mind that WMI is generally not the first place defenders investigate as a possible source for threats, whereas Services is usually a good starting point for looking for evidence of an attack. Well played, wmiexec! While I thought I was being clever in my own WMI experiments, it turns out the pen tester community has been there and done that! You query this underlying Windows object to find users who are currently logged on.

Got that? The next question is how to code the script block. The mythical insider in my scenario is interested in a specific user, Cruella. You can gaze upon the complete solution below:. Keep in mind that our insider is laying low. You can make your lateral move when you get the notification from Register-WmiEvent. How does the script then return this interesting news that Cruella has logged on to the targeted machine?

Those of you who spotted the use of Netcat commands above get extra credit. Netcat is a well-known and versatile communications tool — not necessarily considered malware — that pops reverse shells , or can simply send a message across the network.

I went with the latter option. Mission accomplished. In this scenario, I wanted to remotely launch using wmiexec a payload that would alert when a particular user, Cruella, logs into the system. And then I could dump and crack her credentials. Anyway, this would be the stealthiest way to pull this off —both remote and fileless.

The only problem, I thought at first, was the temporary nature of the WMI event. So I needed to encase my obscenely long Register-WMIEvent below into a PowerShell command line with the —noexit option, ensuring that the PowerShell stayed around after the Register-Event runs, and thereby preserving the event.

More headaches: I eventually had to abandon using pipes because it seemed to cause parsing errors. I eventually came up with this long, long one-liner :. It looked promising and it seemed to execute correctly based on looking at the Windows Event log on the target system. WMI permanent events, though somewhat complicated, is a more effective way for insiders to conduct surveillance on their coworkers rather than using temporary events, and is a much better way to monitor for insider threats.

Permanent events, though they take a little longer to learn how to use, are the most effective way of implementing a rigorous monitoring system for large systems.