Overview
The WMI command allows you to run custom WMI (Windows Management Instrumentation) queries against the system. WMI provides extensive access to system configuration and state data, making it a powerful reconnaissance tool. This command requires you to specify the WMI query as an argument.Syntax
Remote Execution
Output
Returns results based on the specified WMI query. Output format depends on the queried WMI class and properties.Use Cases
- Red Team
- Blue Team
- Execute custom reconnaissance queries
- Enumerate installed software via Win32_Product
- Query running processes and services
- Discover system hardware configuration
- Extract detailed system information
- Identify security products
Common WMI Queries
- System Info
- Software
- Network
- Security
Example Output
Remote Execution
This command supports remote execution using the
-computername parameter.Detection Considerations
- WMI Activity: Generates WMI-Activity/Operational logs (Event ID 5857-5861)
- Network Traffic: Remote WMI over RPC (port 135 + dynamic ports)
- Process Creation: WMI Provider hosts may spawn
- Event Logs: WMI queries can be logged
- Sysmon: Event ID 19-21 (WMI events)
Defensive Recommendations
Monitoring Strategies
Monitoring Strategies
WMI Logging:
- Enable WMI-Activity/Operational log
- Monitor Event ID 5857 (WMI queries)
- Track WMI provider loads
- Monitor RPC connections (port 135)
- Track DCOM activity
- Alert on remote WMI connections
- Suspicious WMI classes (Win32_Product is slow/noisy)
- Reconnaissance queries (process, service, software enumeration)
- Persistence queries (Event consumers, filters)
- Event ID 19: WMI event filter activity
- Event ID 20: WMI event consumer activity
- Event ID 21: WMI event consumer to filter binding
Related Commands
- WMIEventConsumer - WMI event consumers
- WMIEventFilter - WMI event filters
- WMIFilterBinding - WMI filter bindings
- Processes - Running processes
- Services - Windows services