WMIC commands

Local

Gather domain DC and other information
1
wmic NTDOMAIN Get DomainControllerAddress,DomainName,Roles
Copied!
List all Users
1
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
Copied!
Get all groups
1
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
Copied!
Get members of the domain admin group
1
wmic path win32_groupuser where (groupcomponent="win32_group.name='domain admins',domain="DOMAIN'")
Copied!
list all computers
1
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname
Copied!
Computer information
1
wmic computersystem list full
Copied!
Available volumes
1
wmic volume list brief
Copied!
find AV
1
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe
Copied!
find updates
1
wmic qfe list brief
Copied!
find files with password in the name
1
wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE
Copied!
get local use raccounts
1
wmic useraccount list
Copied!
WMI classes or information can also be accessed via Get-WmiObject in PowerShell. Some useful queries:
AV products
1
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Copied!
VM detection
1
[Bool](Get-WmiObject -Class Win32_ComputerSystem -Filter "NumberOfLogicalProcessors < 2 OR TotalPhysicalMemory < 2147483648")
Copied!
find MSI not from MS
1
Get-WmiObject -Query "select * from Win32_Product" | ?{$_.Vendor - notmatch 'Microsoft’}
Copied!
Logged on users
1
Get-WmiObject -Query "select * from Win32_LoggedOnUser" | ?{$_.LogonType -notmatch '(Service|Network|System)’}
Copied!
VMWARE detection
1
$VMAdapter=Get-WmiObject Win32_NetworkAdapter -Filter
2
'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"'
3
$VMBios=Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE
4
"%VMware%"'
5
$VMToolsRunning=Get-WmiObject Win32_Process -Filter
6
'Name="vmtoolsd.exe"'
7
[Bool]($VMAdapter -or $VMBios -or $VMToolsRunning)Gather domain DC and information
Copied!

AD

We can enumerate remotely by adding /NODE:"<SERVER_NAME>" enumerating under other user context can be done adding /USER:"<DOMAIN>\<USER>" /PASSWORD:"<password>" ex:
1
wmic /NODE:"DOMAIN" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get *
Copied!
enumerate groups:
1
Get-CimInstance –ClassName Win32_Group -Filter "DOMAIN = '<DOMAIN>'"
Copied!
user accounts
1
Get-WMIObject –Class Win32_UserAccount -Filter "DOMAIN = '<DOMAIN>'"
Copied!
Group user memberships
1
Get-CimInstance -ClassName Win32_Group -Filter "Domain = <DOMAIN>' AND Name='<GROUP_NAME>'"
Copied!
Domain info
1
wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE
Copied!
LDAP
1
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
2
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
3
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
4
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='<GROUP_NAME>'" Get ds_member /Value
5
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname
Copied!
Copy link
Contents
Local
AD