Wmi allows to open process in hosts where you know username/(password/Hash). Then, Wmiexec uses wmi to execute each command that is asked to execute (this is why Wmicexec gives you semi-interactive shell).
dcomexec.py: This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints (ShellBrowserWindow DCOM object). Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. (from here)
WMI Basics
Namespace
WMI is divided into a directory-style hierarchy, the \root container, with other directories under \root. These "directory paths" are called namespaces.
List namespaces:
#Get Root namespacesgwmi-namespace"root"-Class"__Namespace"|SelectName#List all namespaces (you may need administrator to list all of them)Get-WmiObject-Class"__Namespace"-Namespace"Root"-List-Recurse2> $null |select __Namespace |sort__Namespace#List namespaces inside "root\cimv2"Get-WmiObject-Class"__Namespace"-Namespace"root\cimv2"-List-Recurse2> $null |select __Namespace |sort__Namespace
List classes of a namespace with:
gwmwi-List-Recurse#If no namespace is specified, by default is used: "root\cimv2"gwmi-Namespace"root/microsoft"-List-Recurse
Classes
The WMI class name eg: win32_process is a starting point for any WMI action. We always need to know a Class Name and the Namespace where it is located.
List classes starting with win32:
Get-WmiObject-Recurse-List-classwin32*|more#If no namespace is specified, by default is used: "root\cimv2"gwmi-Namespace"root/microsoft"-List-Recurse-Class"MSFT_MpComput*"
Call a class:
#When you don't specify a namespaces by default is "root/cimv2"Get-WmiObject-Classwin32_shareGet-WmiObject-Namespace"root/microsoft/windows/defender"-ClassMSFT_MpComputerStatus
Methods
WMI classes have one or more functions that can be executed. These functions are called methods.
#Load a class using [wmiclass], leist methods and call one$c = [wmiclass]"win32_share"$c.methods#Find information about the class in https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share$c.Create("c:\share\path","name",0,$null,"My Description")#If returned value is "0", then it was successfully executed
#List methodsGet-WmiObject-Query'Select * From Meta_Class WHERE __Class LIKE "win32%"'|Where-Object{ $_.PSBase.Methods}|Select-ObjectName,Methods#Call create method from win32_share classInvoke-WmiMethod-Classwin32_share-NameCreate-ArgumentList@($null, "Description", $null, "Name", $null, "c:\share\path",0)
WMI Enumeration
Check WMI service
This how you can check if WMI service is running:
#Check if WMI service is runningGet-ServiceWinmgmtStatusNameDisplayName---------------------RunningWinmgmtWindowsManagementInstrumentation#From CMDnetstart|findstr"Instrumentation"
From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.
wmic computerystem list full /format:list
wmic process list /format:list
wmic ntdomain list /format:list
wmic useraccount list /format:list
wmic group list /format:list
wmic sysaccount list /format:list