WMI (Over RPC) - 135


Cheat sheet

CommandDescription
wmic /node:<target> /user:<user> /password:<pass> process listList running processes on remote system
wmic /node:<target> /user:<user> /password:<pass> process call create "<cmd>"Remotely execute a command
wmiexec.py <user>:<pass>@<target>Interactive shell using Impacket’s WMI Exec
crackmapexec wmi <target> -u <user> -p <pass> --exec-method smbexecExecute command via WMI using CrackMapExec
powershell "Get-WmiObject -Class Win32_OperatingSystem -ComputerName <target>"Query basic system info using PowerShell + WMI

WMI is a built-in Windows framework for querying and managing system information and performing administrative tasks.

It works locally and remotely, over DCOM (RPC-based), and allows process execution, service management, user enumeration, and more.

• Protocol: DCOM/RPC

• Ports:

▪ 135/TCP (RPC endpoint)
▪ Dynamic RPC: 49152–65535 (usually negotiated)

• Auth: NTLM, Kerberos

• Access Requirements:

▪ User must be part of Administrators or Distributed COM Users
▪ Firewall must allow remote WMI/DCOM