# Offensive WMI

**Windows Management Instrumentation (WMI)** is a powerful feature of the Windows operating system that provides a standardized interface for accessing and managing various components of a computer. It is extensively used for administrative purposes, but its capabilities can also be leveraged for offensive security purposes, making it a valuable tool for red teamers.

#### Why WMI is Useful for Red Teaming

**Remote Management**: WMI allows for the execution of commands and scripts on remote systems, facilitating lateral movement within a network without the need for additional tools.

**Stealth and Evasion**: WMI operates using legitimate Windows processes, making it less likely to trigger security alerts compared to traditional malware or hacking tools.

**Automation and Scripting**: WMI can be scripted using languages such as PowerShell or VBScript, enabling the automation of complex tasks and reducing manual intervention.

**Extensive Functionality**: WMI can interact with various system components, such as file systems, registry, processes, services, and network settings, providing comprehensive control over the target environment.

#### WMI Architecture

Below is an image depicting the WMI architecture:

Credit: Microsoft's Official Website

<figure><img src="/files/zwYaiFIm3GhMgvdnOAaW" alt=""><figcaption><p><em>WMI Architecture taken from Microsoft's Official Page</em></p></figcaption></figure>

### Examples and Usage

**Example 1: Querying System Information**

This script queries detailed information about the operating system on the target machine.

```powershell
Get-WmiObject -Class Win32_OperatingSystem
```

<figure><img src="/files/SJ65OvSTkwxc3mqgBrpW" alt=""><figcaption><p><em>WMI command to check the OS details</em></p></figcaption></figure>

#### Example 2: Executing a Remote Command

This script creates a new process (Notepad) on the target machine using WMI.

```powershell
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe"
```

<figure><img src="/files/zEdEUEJAqoS8ttIKNEbA" alt=""><figcaption><p><em>notepad is opened using WMI command</em></p></figcaption></figure>

#### Example 4: Enumerating Running Processes

This script lists all running processes on the target machine.

{% code overflow="wrap" %}

```powershell
$targetMachine = "TARGET_MACHINE_NAME"  # Replace with the actual target machine name or IP address

# Get running processes information
Get-WmiObject -Class Win32_Process -ComputerName $targetMachine | Select-Object Name, ProcessId, CommandLine
```

{% endcode %}

This script uses WMI to query the `Win32_Process` class on the target machine and retrieves information about running processes, including the process name, process ID, and command line.

<figure><img src="/files/BL6OkVUis85uhmzKLYri" alt=""><figcaption><p><em>WMI using PowerShell</em></p></figcaption></figure>

#### Conclusion

Using WMI for offensive purposes allows red teamers to execute commands, create persistence mechanisms, and gather valuable information from target machines while maintaining a low profile. These examples demonstrate the versatility of WMI in red teaming scenarios, highlighting its potential for stealthy and efficient operations.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteamgarage.com/offensive-wmi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.