The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page
  • Local
  • AD

Was this helpful?

  1. Techniques
  2. Enumeration
  3. Recon Commands

WMIC commands

Local

Gather domain DC and other information

wmic NTDOMAIN Get DomainControllerAddress,DomainName,Roles

List all Users

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname

Get all groups

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname

Get members of the domain admin group

wmic path win32_groupuser where (groupcomponent="win32_group.name='domain admins',domain="DOMAIN'")

list all computers

wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname

Computer information

wmic computersystem list full

Available volumes

wmic volume list brief

find AV

wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,  productState, pathToSignedProductExe

find updates

wmic qfe list brief

find files with password in the name

wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE

get local use raccounts

wmic useraccount list

WMI classes or information can also be accessed via Get-WmiObject in PowerShell. Some useful queries:

AV products

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

VM detection

[Bool](Get-WmiObject -Class Win32_ComputerSystem -Filter "NumberOfLogicalProcessors < 2 OR TotalPhysicalMemory < 2147483648")

find MSI not from MS

Get-WmiObject -Query "select * from Win32_Product" | ?{$_.Vendor - notmatch 'Microsoft’}

Logged on users

Get-WmiObject -Query "select * from Win32_LoggedOnUser" |  ?{$_.LogonType -notmatch '(Service|Network|System)’}

VMWARE detection

$VMAdapter=Get-WmiObject Win32_NetworkAdapter -Filter 
'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"' 
$VMBios=Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE 
"%VMware%"'
$VMToolsRunning=Get-WmiObject Win32_Process -Filter 
'Name="vmtoolsd.exe"'
[Bool]($VMAdapter -or $VMBios -or $VMToolsRunning)Gather domain DC and information

AD

We can enumerate remotely by adding /NODE:"<SERVER_NAME>" enumerating under other user context can be done adding /USER:"<DOMAIN>\<USER>" /PASSWORD:"<password>" ex:

wmic /NODE:"DOMAIN" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get *

enumerate groups:

Get-CimInstance –ClassName Win32_Group -Filter "DOMAIN = '<DOMAIN>'"

user accounts 

Get-WMIObject –Class Win32_UserAccount -Filter "DOMAIN = '<DOMAIN>'"

Group user memberships

Get-CimInstance -ClassName Win32_Group -Filter "Domain = <DOMAIN>' AND Name='<GROUP_NAME>'"

Domain info

wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE

LDAP

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='<GROUP_NAME>'" Get ds_member /Value
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname

Previous.NET AD Enum commandsNextWMI queries from c++

Last updated 3 years ago

Was this helpful?