Skip to content
All Skills

Performing Lateral Movement With Wmiexec

Perform lateral movement across Windows networks using WMI-based remote execution techniques including Impacket wmiexec.py, CrackMapExec, and native WMI commands for stealthy post-exploitation during red team engagements.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "performing-lateral-movement-with-wmiexec-72f455d9" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Performing Lateral Movement with WMIExec


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## Overview

WMI (Windows Management Instrumentation) is a legitimate Windows administration framework that red teams abuse for lateral movement because it provides remote command execution without deploying additional services or leaving obvious artifacts like PsExec. Impacket's wmiexec.py creates a semi-interactive shell over WMI by executing commands through Win32_Process.Create and reading output via temporary files on ADMIN$ share. Unlike PsExec, WMIExec does not install a service on the target, making it stealthier and less likely to trigger security alerts. WMI-based lateral movement maps to MITRE ATT&CK T1047 (Windows Management Instrumentation) and is used by threat actors including APT29, APT32, and Lazarus Group.


## When to Use

- When conducting security assessments that involve performing lateral movement with wmiexec
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites

- Familiarity with red teaming concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Objectives

- Execute remote commands on Windows targets using WMI-based techniques
- Establish semi-interactive shells via Impacket wmiexec.py
- Perform lateral movement with Pass-the-Hash using WMI
- Use CrackMapExec for multi-target WMI command execution
- Execute native PowerShell WMI commands for fileless lateral movement
- Chain WMI with credential harvesting for network-wide access

## MITRE ATT&CK Mapping

- **T1047** - Windows Management Instrumentation
- **T1021.003** - Remote Services: Distributed Component Object Model (DCOM)
- **T1550.002** - Use Alternate Authentication Material: Pass the Hash
- **T1059.001** - Command and Scripting Interpreter: PowerShell
- **T1570** - Lateral Tool Transfer

## Workflow

### Phase 1: WMIExec with Impacket
1. Execute a semi-interactive shell with credentials:
   ```bash
   # With cleartext password
   wmiexec.py domain.local/admin:'Password123'@10.10.10.50

   # With NT hash (Pass-the-Hash)

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#incident#responsepythonimpacketcrackmapexec
Performing Lateral Movement With Wmiexec - AgentArmory Skill — AgentArmory