WMI (Windows Management Instrumentation) is a built-in Windows framework for managing systems locally and remotely. Attackers abuse it for lateral movement because it can execute commands on a remote host (via the Win32_Process class) using just valid credentials or an NTLM hash, without creating a service or dropping an obvious binary. Impacket’s wmiexec.py gives a semi-interactive shell. Because WMI is legitimate management traffic, this technique is quieter than PsExec.
What WMI is
WMI is the standard Windows interface for management data and actions, used by administrators and monitoring tools to query and control systems. It works remotely over DCOM (and newer WS-Management).
One of its capabilities, the Win32_Process.Create method, starts a process on a remote machine. That single feature is what attackers repurpose: a legitimate management action becomes remote command execution.
The abuse and payload
With valid credentials or a hash for a local admin on the target, the attacker runs commands via WMI:
wmiexec.py corp.local/user:Password1@10.0.0.5(Impacket, semi-interactive)- With a stolen hash:
wmiexec.py -hashes :<nt-hash> corp.local/user@10.0.0.5 - Native PowerShell:
Invoke-WmiMethod -ComputerName 10.0.0.5 -Class Win32_Process -Name Create -ArgumentList "cmd /c ..."
No service is created and no binary is written to disk in the obvious way, so WMI execution is stealthier than PsExec. Documented techniques shown for defenders.
How to defend
- Limit local-administrator rights and use LAPS, since WMI execution still needs admin on the target.
- Segment and restrict WMI/DCOM traffic between workstations.
- Reduce NTLM and enforce signing to blunt Pass-the-Hash via WMI.
- Enable WMI activity logging and detect remote
Win32_Processcreation. - Monitor for one account driving WMI execution across many hosts.