+--------------------------------------------------------------+
| WMI AUDIT . FROGMAN CYBER TOOL . 600+ CMDS |
| AUTHOR: MANIKANDAN | TEL: 9787091093 |
+--------------------------------------------------------------+
@..@
( -__- )
( >_____< )
^^ ~~~~~~ ^^
[ FROGMAN IS WATCHING YOU ]
The ultimate Windows WMI-based security audit and threat detection framework.
600+ commands | 200+ MITRE ATT&CK TTPs | Remote WMI | Live Dashboard | Multi-format Export
- Overview
- Features
- Requirements
- Installation
- Usage
- Menu Reference
- Command Modules
- Remote WMI Mode
- Live Dashboard
- Export Formats
- MITRE ATT&CK Mapping
- Risk Scoring
- Parameters
- Screenshots
- Legal & Disclaimer
- License
- Author
WMI Frogman is a comprehensive PowerShell-based Windows security auditing framework that leverages Windows Management Instrumentation (WMI) and CIM (Common Information Model) to perform deep system reconnaissance, threat detection, and security assessment — both locally and remotely across a network.
Built for security professionals, red/blue teamers, penetration testers, and system administrators, Frogman provides an interactive terminal interface with 600+ audit commands, automatic MITRE ATT&CK mapping, risk scoring, and professional multi-format reporting.
| Feature | Details |
|---|---|
| 🔢 600+ WMI/CIM Commands | Organised across 19 audit modules |
| 🎯 200+ MITRE ATT&CK TTPs | Auto-mapped to findings |
| 🌐 Remote WMI Support | Audit remote hosts, subnet scan, host list |
| 📊 Live Dashboard | Real-time CPU/RAM/Disk/Threat monitoring |
| 📄 Multi-format Export | HTML, PDF, JSON, CSV, YAML |
| 🔴 Risk Scoring | Automated 0–100 risk score with severity levels |
| 🕵️ Threat Detection | WMI persistence, suspicious processes, backdoors |
| 🏢 Active Directory Recon | Full AD enumeration module |
| ☁️ Cloud Detection | AWS/Azure/GCP metadata detection |
| 🌐 Browser Artifacts | Chrome, Firefox, Edge artifact hunting |
| 🔒 CVE / Patch Matching | Missing patch and CVE correlation |
| 🎨 Dynamic UI | Random banners, color themes, matrix intro |
| ⏩ Skip Support | Press S before slow commands to skip |
| Requirement | Minimum | Recommended |
|---|---|---|
| OS | Windows 7 / Server 2008 R2 | Windows 10/11 / Server 2019+ |
| PowerShell | 5.1 | 7.x |
| Privileges | Standard user (limited) | Administrator (full audit) |
| WMI Service | Must be running | Must be running |
| Remote WMI | WMI service + firewall exception on target | Same + DCOM configured |
⚠️ Run as Administrator for complete results. Some WMI classes require elevated privileges.
# Clone or download frogman.ps1 to your machine
# No installation required — single script, no dependenciesgit clone https://github.com/YOUR_USERNAME/wmi-frogman.git
cd wmi-frogman# Run once in elevated PowerShell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser# Run as Administrator for best results
.\frogman.ps1.\frogman.ps1 -SaveLocation "C:\AuditReports".\frogman.ps1 -Target 192.168.1.50
.\frogman.ps1 -Target DC01 -TargetUser "DOMAIN\Administrator".\frogman.ps1 -Dashboard
.\frogman.ps1 -Dashboard -RefreshSeconds 10------------------------------------------------------------------
SELECT AUDIT CATEGORY
TARGET: LOCAL (DESKTOP-XXXXXXX)
------------------------------------------------------------------
1 System Info (Cmds 1-30)
2 User and Group (Cmds 31-60)
3 Service and Driver (Cmds 61-85)
4 Process and Memory (Cmds 86-110)
5 Network and Shares (Cmds 111-125)
6 Privilege Access (Cmds 126-200)
7 WMI/CIM Advanced (Cmds 201-300)
8 Storage and Disk (Cmds 301-340)
9 Security and Firewall (Cmds 341-380)
10 Registry and Config (Cmds 381-420)
11 Hardware Peripherals (Cmds 421-460)
12 Software and Apps (Cmds 461-500)
13 Tasks, Logs and Audit (Cmds 501-540)
14 Certificates/Crypto (Cmds 541-570)
15 Persistence/Lateral (Cmds 571-600)
16 Active Directory Recon
17 Cloud Metadata Detection
18 Browser Artifacts
19 CVE / Patch Matching
B RUN ALL 600 COMMANDS
C THREAT DETECTION
D EXPORT (HTML / PDF / JSON / CSV / YAML + Risk Score + MITRE)
L LIVE DASHBOARD MODE [auto-refresh]
R SET REMOTE TARGET [network scan / remote WMI]
Q EXIT
------------------------------------------------------------------
OS version, BIOS, motherboard, UUID, physical memory, network adapters, environment PATH, logical disks, boot config, PCI/USB/PnP devices, video controller, sound devices, page file, and more.
Local/domain user accounts, group memberships, logon sessions, account policies, password requirements, SID enumeration, account age, last logon times.
Running services, auto-start services, stopped auto services, unquoted service paths, service permissions, driver enumeration, kernel drivers, signed/unsigned drivers.
Running processes, process owners, process command lines, memory usage, parent-child process trees, process creation times, handles and threads.
Active TCP/UDP connections, open shares, network adapters, DNS settings, WINS, ARP cache, routing tables, open ports.
User rights, privilege assignments, UAC status, local security policy, account lockout, audit policies, firewall state, event logs config.
WMI event filters, event consumers, consumer bindings, WMI namespaces, CIM storage, CIM partitions, CIM firewall rules, CIM TCP connections, scheduled tasks, shadow copies, disk quotas.
Disk drives, partitions, volumes, BitLocker status, SMART data, iSCSI, RAID, removable media, disk quotas.
Firewall profiles (Domain/Private/Public), inbound/outbound rules, Windows Defender status, antivirus products, security event log analysis.
Auto-run registry keys, RunOnce, RunServices, LSA settings, audit policy registry, UAC registry values, RDP config, WinRM config.
Printers, pointing devices, sound cards, video adapters, USB history, Bluetooth devices, scanners, monitors.
Installed software, recent updates, Windows Store apps, MSI packages, software by publisher, program install dates.
Scheduled tasks, event log files, event log sizes, Windows logs, application/security/system event counts, task status.
Certificate stores, expired certs, self-signed certs, code-signing certs, root CA, BitLocker recovery keys, EFS config.
WMI persistence subscriptions, startup folders, scheduled task persistence, registry run keys, DLL hijack paths, service hijack candidates.
Domain info, domain controllers, AD users, AD groups, Group Policy Objects, FSMO roles, trust relationships, password policy, Kerberos policy.
AWS instance metadata (169.254.169.254), Azure IMDS, GCP metadata endpoints — detects cloud environment automatically.
Chrome history/profile paths, Firefox profile detection, Edge artifacts — session data and profile enumeration.
Installed hotfixes, missing patches, KB correlation, build number vs known CVE list matching.
Press R from the main menu to configure a remote target:
[1] Local machine (default)
[2] Enter remote IP / hostname
[3] Scan subnet (e.g. 192.168.1.0/24)
[4] Scan from host list file
Enter subnet: 192.168.1
→ Scans 192.168.1.1 - 192.168.1.254
→ Lists all live WMI-accessible Windows hosts
→ Select a host to target
# hosts.txt
192.168.1.10
192.168.1.20
SERVER01
DC01
# Enable WMI through firewall on target
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
# Enable WinRM (optional, for CIM sessions)
Enable-PSRemoting -ForcePress L or launch with -Dashboard flag for a real-time monitoring view:
+------------------------------------------------------------------+
FROGMAN LIVE DASHBOARD Target: DESKTOP-B0SPC9T 14:32:55
+------------------------------------------------------------------+
CPU Load : 23% [####----------------]
RAM Used : 67% [#############-------]
RAM : 5.3GB / 7.9GB
Disks :
C: 78% used [################----]
Network :
Intel(R) Ethernet IP: 192.168.1.100
Top 5 Procs (Memory):
chrome.exe 312.4 MB
explorer.exe 89.2 MB
Services : 142 running | 0 auto not-running
Threats : SuspPS=0 WMI_Subscriptions=0
------------------------------------------------------------------
[Refreshing in 30s -- Press Q to exit dashboard]
Press Q at any time to exit the dashboard.
Press D from the main menu to export. Available formats:
| Format | Contents |
|---|---|
| HTML | Full styled report with risk gauge, MITRE table, all findings |
| Auto-generated from HTML using Chrome/Edge headless | |
| JSON | Structured machine-readable data — all audit results |
| CSV | Spreadsheet-compatible, one file per module |
| YAML | Human-readable structured format |
| ALL | Generates all 5 formats simultaneously |
- ✅ Full audit data from all collected commands
- ✅ Risk Score (0–100) with severity level
- ✅ MITRE ATT&CK technique mapping
- ✅ Timestamp and target hostname in filename
WMIFrogman_DESKTOP-B0SPC9T_20260303_022319.html
WMIFrogman_DESKTOP-B0SPC9T_20260303_022319.pdf
Frogman automatically maps findings to 200+ MITRE ATT&CK techniques including:
| Technique ID | Technique Name | Frogman Module |
|---|---|---|
| T1047 | Windows Management Instrumentation | Modules 7, 15 |
| T1543 | Create or Modify System Process | Module 3 |
| T1053 | Scheduled Task/Job | Module 13 |
| T1012 | Query Registry | Module 10 |
| T1057 | Process Discovery | Module 4 |
| T1049 | System Network Connections Discovery | Module 5 |
| T1087 | Account Discovery | Module 2 |
| T1082 | System Information Discovery | Module 1 |
| T1016 | System Network Configuration Discovery | Module 5 |
| T1021 | Remote Services | Modules 5, 16 |
| T1552 | Unsecured Credentials | Modules 6, 18 |
| T1546 | Event Triggered Execution (WMI) | Module 7 |
Frogman computes an automated Risk Score (0–100) based on findings:
| Score Range | Level | Color |
|---|---|---|
| 75 – 100 | 🔴 CRITICAL | Red |
| 50 – 74 | 🟡 HIGH | Yellow |
| 0 – 49 | 🟢 LOW / MEDIUM | Green |
Risk factors include:
- WMI event subscriptions (persistence indicators)
- Suspicious process command lines (
-enc,-hidden,-bypass) - Firewall disabled
- Unquoted service paths
- Unsigned drivers
- Missing patches / CVEs
- Auto-start services not running
- Open shares
- Disabled local accounts (admin SID-500 status)
| Parameter | Type | Default | Description |
|---|---|---|---|
-SaveLocation |
String | "" |
Pre-set output directory path |
-Target |
String | "" |
Remote hostname or IP to audit |
-TargetUser |
String | "" |
Username for remote authentication |
-Dashboard |
Switch | $false |
Launch directly to Live Dashboard |
-RefreshSeconds |
Int | 30 |
Dashboard auto-refresh interval (seconds) |
# Local audit, save to Desktop
.\frogman.ps1 -SaveLocation "$env:USERPROFILE\Desktop"
# Remote audit with credentials
.\frogman.ps1 -Target "192.168.1.50" -TargetUser "CORP\Administrator"
# Live dashboard with 10s refresh
.\frogman.ps1 -Dashboard -RefreshSeconds 10
# Full remote audit to custom path
.\frogman.ps1 -Target "DC01" -SaveLocation "C:\Reports" -TargetUser "DOMAIN\user"The dedicated threat detection module checks for:
- 🔴 WMI event filter/consumer persistence (T1546.003)
- 🔴 Suspicious PowerShell flags (
-EncodedCommand,-WindowStyle Hidden,-Bypass) - 🔴 Unquoted service paths (privilege escalation)
- 🔴 Unsigned/untrusted kernel drivers
- 🟡 Firewall profile disabled (any profile)
- 🟡 AutoRun registry keys with external paths
- 🟡 Scheduled tasks pointing to temp/user directories
- 🟡 Services running from unusual locations
- 🟢 WMI namespace enumeration
- 🟢 Open administrative shares
[S] Press S before a slow command starts to skip it
[Q] Press Q in Live Dashboard to exit
[B] Run ALL 600 commands in batch mode
[R] Switch between local and remote targets at any time
- Run as Administrator for complete WMI access
- For remote targets, ensure WMI firewall exceptions are enabled
- Use
-SaveLocationparameter to skip the save prompt on startup - The HTML report is the most visually rich format — open in Chrome/Edge
- PDF generation requires Chrome or Edge to be installed
This tool is intended for authorized security testing, auditing, and educational purposes ONLY.
- ✅ Use on systems you own or have explicit written permission to test
- ✅ Use for defensive security — auditing your own infrastructure
- ✅ Use for CTF challenges and security research
- ❌ Do NOT use against systems without authorization
- ❌ Do NOT use for unauthorized access or malicious purposes
The author (MANIKANDAN) assumes no liability for misuse of this tool. Users are solely responsible for ensuring their activities comply with applicable laws and regulations.
This project is licensed under the GNU General Public License v3.0 (GPL v3).
- ✅ Free to use, modify, and distribute
- ✅ Modifications must also be open source (GPL v3)
- ✅ Attribution required — original author credit must be retained in all copies and forks
- ❌ Cannot be relicensed as proprietary
See the LICENSE file for full details.
Official GPL v3 text: https://www.gnu.org/licenses/gpl-3.0.txt
+--------------------------------------------------+
| WMI sees all. Are you looking? |
| MANIKANDAN | Contact: 9787091093 |
+--------------------------------------------------+
MANIKANDAN
📞 Contact: 9787091093
🐸 Tool: WMI Frogman Cyber Tool v18
📅 Year: 2025
🔒 License: GNU GPL v3
Contributions are welcome under GPL v3 terms:
- Fork the repository
- Create a feature branch:
git checkout -b feature/new-module - Commit your changes:
git commit -m "Add: new detection module" - Push to branch:
git push origin feature/new-module - Open a Pull Request
All contributions must retain original author attribution (MANIKANDAN).
Total Commands : 600+
MITRE Techniques : 200+
Audit Modules : 19
Export Formats : 5 (HTML, PDF, JSON, CSV, YAML)
Remote Modes : 4 (Direct, Subnet Scan, Host List, Credential)
Exit Quotes : 15 (random, Metasploit-style)
Entry Banners : 10 (random ASCII frog art)
Stay paranoid. Stay patched. Stay frog. 🐸