Skip to content
A standalone WMI protocol for CrackMapExec
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.
slides adding slides conf RTFM Feb 3, 2020
wmi Create Nov 30, 2019
LICENSE Update Feb 3, 2020
example.png wmi protocol v1.0 Nov 30, 2019


Experimental plugin for CrackMapExec that adds a new protocol based on pure WMI : all of CrackMapExec's traffic passes via DCOM (TCP/135 and dynamic ports).

Remote WMI access must be configured on the target. No SMB services are needed. CrackMapExec's HTTP server is not used. All command output is obtained exclusively using the WMI access, through storage in the WMI repository.

Currently only tested with CrackMapExec's Mimikatz module.


cme wmi targets.txt -d <DOMAIN> -u <USER> -p <PASS> [-H <HASH>] -M mimikatz


As shown, commands are sent only via DCOM (TCP/135).


git clone
git clone
cp -r cme-wmi/wmi CrackMapExec/cme/protocols
cp cme-wmi/ CrackMapExec/cme/protocols
sed -ri "s/supported_protocols = \[(.*)\]/supported_protocols = \[\1, 'wmi'\]/" CrackMapExec/cme/modules/ #adding the new 'wmi' protocol manually to the list of supported protocols of the module

Rebuild CrackMapExec afterwards.


  • add --sam and --lsa options (for secrets an idea is using nishang's Get-LsaSecret as a new module instead of Invoke-Mimikatz)
  • fix loggging error that makes mimikatz fail when using options -o COMMAND (works if manually modified in the
  • add enum_host() function
  • port to Python3 ;)
You can’t perform that action at this time.