As part of internal penetration testing in Active Directory environments, it is often necessary to execute remote commands on Windows machines. Several tools are available for this purpose, but one of the most widely used is wmiexec.

The general principle of wmiexec

wmiexeclets you execute remote commands without copying files or creating services on the target machine. It is based onWMI (Windows Management Instrumentation)`, a native Windows technology for controlling a local or remote system.

When used remotely, WMI does not operate directly on the network. It actually relies on another technical layer called DCOM (Distributed Component Object Model).

Understanding DCOM and RPC

What is DCOM?

DCOM is an extension of Microsoft’s COM model. Whereas COM enables software to exchange data and functions on a single machine, DCOM enables this communication between different machines on a network.

In concrete terms, DCOM enables an application on one machine to request execution of a function on a remote server, without having to manage the details of network communication. The application acts as if the remote function were local. DCOM encapsulates the remote method call and takes care of the necessary transport and exchange management.

What about RPC?

Under the hood, DCOM uses RPC (Remote Procedure Call) to transport messages over the network. RPC provides the low-level mechanism for passing function calls across the network, opening the necessary connections, managing ports and transmitting data.

So, to summarize, when communicating with wmiexec, here’s what happens:

  • At the lowest level, RPC takes care of network transport. It opens the initial connection on TCP port 135.
  • On top of RPC, DCOM handles remote object calls, i.e. method calls on the remote machine.
  • Finally, at the application level, WMI provides the administration interface, enabling you to create a remote process, for example.

Limitations of wmiexec

  • Often detected by EDRs
  • Requires administrator privileges on the target
  • Firewalls must let DCOM/RPC flows through