For this exercise, I'm recruiting a Windows 7 attack PC for firing off WMI commands against a Windows Server 2008 target. You now have two attackers: Kali and Windows.

Let's poke around with WMIC for a minute to get an idea of what it looks like. Open up the command prompt CMD and execute wmic. This will put you in an interactive session. Now, execute useraccount list /format:list:

WMIC returns local user accounts in a handy format. Not terribly exciting. Where the fun lies is in remote administration. Now, try this command: node:[IP address] /user:[DOMAIN][User] computersystem list brief /format:list. You'll be prompted for the user's password:

Well now, this is a little more interesting. The fun isn't over yet, though. Try this command, while still retaining the node:[IP address] /user:[DOMAIN][User] header: path win32_process call create "calc.exe". Don't forget to pass Y when prompted:

Check that out; Method execution successful. Out Parameters tells us what the host kicked back to us; we see a PID and a ReturnValue of 0 (meaning no errors). Now head on over to your target system and look for the friendly calculator on the screen. Wait, where is it? Perhaps the command failed after all.

Let's look in Task Manager:

It did execute calc.exe. Confirm the PID as well—it's the instance kicked off by our command. If you've ever written scripts or other programs that launch a process, even when you try to hide it, seeing a command window flicker on the screen for a split second is a familiar experience and we usually hope the user won't see it. Quietly kicking off PowerShell? Priceless.