This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Collection - wmiexec.py Activity

Question:

We have detected activity related to wmiexec.py Target Execution (event classification: targeted lateral movement) on your host. What does the discovery process do on a Windows server? Why does it appear to be performing or using a common hacker tool or method?

 

Answer:

Some data collected by the Windows Collection Module is not available through WMI. For this data, the Windows Collection Module uses a facility for running commands on Windows hosts through cmd.exe. The wmiexec.py utility from the open source Impacket project is used to provide this facility. 

The process uses the SMB and WMI protocols. First, a WMI session is established with the remote Windows system, and an SMB session is established with the ADMIN$ share. The WMI Win32_Process provider is used to invoke a new process through the cmd.exe command interpreter. The output of the command that is invoked is redirected to a file in the ADMIN$ share, and the contents of this file is read using the established SMB connection. Once all of the data has been read from the output file, the file is removed and the SMB and WMI sessions are torn down.

Please see our Online Windows documentation module in the portal for more detail.

 

 

‎Jan 27, 2020 06:43 PM

No ratings
Version history
Last update:
‎Jan 27, 2020 06:43 PM
Updated by:
Level 9 Flexeran