There are several built-in Windows applications and tools that can be useful in offensive operations. Windows Management Instrumentation (WMI) provides an interface to management data and operations on Windows-based systems. WMI namespaces are hierarchical containers for classes, which expose methods and properties in order to manage Windows applications and services. PowerShell is one of the most popular methods to access WMI. Both the Get-WmiObject and Invoke-WmiMethod (Get-CimInstance and Invoke-CimMethod for PSV5) cmdlets are extremely useful when working with WMI, but what if you are conducting an engagement in an environment where PowerShell usage is heavily logged and monitored? Or there are other restrictions in place that prevent you from using PowerShell? Fear not, wmic, a command line tool, is still available to use on Windows. Wmic provides an alternative method to access WMI through the use of aliases. Each alias maps back to a specific WMI class. Wmic commands translate to a WMI query and return easily digestible output.
The wmic command line tool could prove to be highly valuable to a penetration tester in post-exploitation triage. It provides the ability to survey a remote system or execute commands without having to install an additional implant. This enables a penetration testers to selectively target systems based on what information is available, and how that can assist them in completing their objectives for an engagement. There is a great whitepaper from FireEye detailing the offensive and defensive uses for Wmi here. Also, @mattifestation put together some great research on Wmi usage here.
Let's take a look at some example usage. To become familiar with the available aliases, open a command prompt and type:
wmic alias list brief
To further breakdown this command, the "alias" refers to the actual alias we are querying. The "List" verb specifies that the results should be formatted in a list format. Keep in mind that list verb is only permitted with an alias name. The last portion of the command, "brief", refers to how much of the output should be shown in the list. Brief will only show a few properties of each object, while "full" will show all object properties. You can run queries on remote hosts with the “/node” parameter and specify multiple hosts within a text file with @"c:\path\to\file". Wmic will also accept "/username" and "/password" flags for remote queries only. As a side note, if you are utilizing Gold/Silver (Kerberos) tickets and would like to run wmic commands on a remote host, you will need to use the "/AUTHORITY" flag with "kerberos:TargetDomainName\TargetComputerName". More information on that can be found here. Please note that the credentials provided must be that of a local administrator on the target host. Here is another example:
wmic volume list brief
Each WMI class also contains methods that can be executed locally or remotely. Methods are invoked by using CALL [method name] [arguments]. To see the available methods for any class:
wmic [class] call /?This will provide the methods available for the class as well as the required arguments, and their respective datatypes.
Filtering:
Filtering can be used in wmic to return specific results from queries that match criteria you specify. Use the where clause to only return instances that match a specified boolean expression.
| Operator | Description |
|---|---|
| = | equal to |
| < | less than |
| > | greater than |
| != OR <> | not equal |
| >= | greater than or eq to |
| <= | less than or eq to |
For example, a query that only returns Win32_process instances that have match the name EMET:
wmic process where "name ='notepad.exe'"
OR
wmic process where "name like '%notepad%'"
Like is used for wildcard string matches, with '%' as wildcards. You can combine filters with the AND clause like so:
wmic DATAFILE where "drive='C:'" AND name like '%password%'So here the alias we are querying is volume. This maps to a select * from Win32_Volume WMI Query Language (WQL) statement. Using the list argument for formatting is not necessary. Just providing the alias returns a nicely formatted table with all of the class instances and their properties. Aliases only provide access to a handful of wmi classes. The other classes can be accessed by using the namespace and path arguments.
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe
There are several wmi classess that can provide tons of information and greatly aide a tester in becoming more familiar with their target environment. Below is a list of some helpful queries.
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct | |
| --- Peripherals --- | |
| wmic path Win32_PnPdevice | |
| --- Installed Updates --- | |
| wmic qfe list brief | |
| --- Directory Listing and File Search --- | |
| wmic DATAFILE where "path='\\Users\\test\\Documents\\'" GET Name,readable,size | |
| wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE | |
| --- Local User Accounts --- | |
| wmic USERACCOUNT Get Domain,Name,Sid | |
| Domain Enumeration: | |
| --- Domain and DC Info --- | |
| wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE | |
| --- Domain User Info --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='testAccount'" GET | |
| --- List All Users --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname | |
| --- List All Groups --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname | |
| --- Members of A Group --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value | |
| wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="YOURDOMAINHERE"") | |
| --- List All Computers --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname | |
| OR | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname | |
| Misc: | |
| --- Execute Remote Command --- | |
| wmic process call create "cmd.exe /c calc.exe" | |
| --- Enable Remote Desktop --- | |
| wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1" | |
| OR | |
| wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1" |