search

WMI and WinRM

hashtag
WMI

Windows Management Instrumentationarrow-up-right (WMI), is an object-oriented feature for task automation. It communicates through RPC over port 135 and capable of creating processes.

WMI is capable of creating processes via the Create method from the Win32_Process class.

hashtag
Remote process

To create a process on the remote target using WM it is required member of the Administrators local group.

Create a process using wmic:

wmic /node:<target> /user:<username> /password:<password> process call create "<command>"

Create a process using PowerShell:

$username = '<username>';
$password = '<password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <target> -Credential $credential -SessionOption $Options 
$command = '<command>';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

hashtag
WinRM

Windows Remote Managementarrow-up-right is Microsoft's implementation of the WS-Managementarrow-up-right protocol, used for remote host management. It exchanges XML-based messages over HTTP and HTTPS for secure communication.

hashtag
WinRS

Windows Remote Shell is a command-line tool used for executing commands remotely on a Windows machine using the WinRM protocol. It allows administrators to manage remote systems securely, similar to SSH in Linux.

hashtag
Usage:

hashtag
PS-Remoting

PowerShell Remoting allows for the remote execution of PowerShell commands and scripts on other Windows machines using the WinRM protocol. It supports interactive sessions.

The following requirements must be met to use PS-Remoting:

  • PS-Remoting must be enabled on the target machine.

  • The user must belong to either the Administrators group or the Remote Management Users group.

hashtag
Usage:

hashtag
References

LogoWS-ManagementWikipediachevron-right
WS-Management protocol
LogoWindows Remote Management - Win32 appsMicrosoftLearnchevron-right
WinRM
LogowinrsMicrosoftLearnchevron-right
winrs
LogoWindows Management Instrumentation - Win32 appsMicrosoftLearnchevron-right
WMI
PreviousLateral MovementNextPsExec

Last updated