cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Collection - wmiexec.py Activity

Windows Collection - wmiexec.py Activity

Question:

We have detected activity related to wmiexec.py Target Execution (event classification: targeted lateral movement) on your host. What does the discovery process do on a Windows server? Why does it appear to be performing or using a common hacker tool or method?

 

Answer:

Some data collected by the Windows Collection Module is not available through WMI. For this data, the Windows Collection Module uses a facility for running commands on Windows hosts through cmd.exe. The wmiexec.py utility from the open source Impacket project is used to provide this facility. 

The process uses the SMB and WMI protocols. First, a WMI session is established with the remote Windows system, and an SMB session is established with the ADMIN$ share. The WMI Win32_Process provider is used to invoke a new process through the cmd.exe command interpreter. The output of the command that is invoked is redirected to a file in the ADMIN$ share, and the contents of this file is read using the established SMB connection. Once all of the data has been read from the output file, the file is removed and the SMB and WMI sessions are torn down.

Please see our Online Windows documentation module in the portal for more detail.

 

 

Was this article helpful? Yes No
No ratings
Version history
Last update:
‎Jan 27, 2020 06:43 PM
Updated by:
Contributors