# WMIC commands

## Local

Gather domain DC and other information

```
wmic NTDOMAIN Get DomainControllerAddress,DomainName,Roles
```

List all Users

```
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
```

Get all groups

```
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
```

Get members of the domain admin group

```
wmic path win32_groupuser where (groupcomponent="win32_group.name='domain admins',domain="DOMAIN'")
```

list all computers

```
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname
```

Computer information

```
wmic computersystem list full 
```

Available volumes

```
wmic volume list brief 
```

find AV

```
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,  productState, pathToSignedProductExe
```

find updates

```
wmic qfe list brief
```

find files with password in the name

```
wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE
```

get local use raccounts

```
wmic useraccount list
```

WMI classes or information can also be accessed via Get-WmiObject in PowerShell. Some useful queries:

AV products

```
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
```

VM detection

```
[Bool](Get-WmiObject -Class Win32_ComputerSystem -Filter "NumberOfLogicalProcessors < 2 OR TotalPhysicalMemory < 2147483648")
```

find MSI not from MS

```
Get-WmiObject -Query "select * from Win32_Product" | ?{$_.Vendor - notmatch 'Microsoft’}
```

Logged on users

```
Get-WmiObject -Query "select * from Win32_LoggedOnUser" |  ?{$_.LogonType -notmatch '(Service|Network|System)’}
```

VMWARE detection

```
$VMAdapter=Get-WmiObject Win32_NetworkAdapter -Filter 
'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"' 
$VMBios=Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE 
"%VMware%"'
$VMToolsRunning=Get-WmiObject Win32_Process -Filter 
'Name="vmtoolsd.exe"'
[Bool]($VMAdapter -or $VMBios -or $VMToolsRunning)Gather domain DC and information
```

## AD

We can enumerate remotely by adding `/NODE:"<SERVER_NAME>"`  enumerating under other user context can be done adding `/USER:"<DOMAIN>\<USER>" /PASSWORD:"<password>"` ex:

```
wmic /NODE:"DOMAIN" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get *
```

enumerate groups:

```
Get-CimInstance –ClassName Win32_Group -Filter "DOMAIN = '<DOMAIN>'"
```

user accounts&#x20;

```
Get-WMIObject –Class Win32_UserAccount -Filter "DOMAIN = '<DOMAIN>'"
```

Group user memberships

```
Get-CimInstance -ClassName Win32_Group -Filter "Domain = <DOMAIN>' AND Name='<GROUP_NAME>'"
```

Domain info

```
wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE
```

LDAP

```
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='<GROUP_NAME>'" Get ds_member /Value
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/enumeration/recon-commands/wmic-commands.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.