WMIC commands

Local

Gather domain DC and other information

wmic NTDOMAIN Get DomainControllerAddress,DomainName,Roles

List all Users

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname

Get all groups

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname

Get members of the domain admin group

wmic path win32_groupuser where (groupcomponent="win32_group.name='domain admins',domain="DOMAIN'")

list all computers

wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname

Computer information

wmic computersystem list full 

Available volumes

wmic volume list brief 

find AV

wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,  productState, pathToSignedProductExe

find updates

wmic qfe list brief

find files with password in the name

wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE

get local use raccounts

wmic useraccount list

WMI classes or information can also be accessed via Get-WmiObject in PowerShell. Some useful queries:

AV products

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

VM detection

[Bool](Get-WmiObject -Class Win32_ComputerSystem -Filter "NumberOfLogicalProcessors < 2 OR TotalPhysicalMemory < 2147483648")

find MSI not from MS

Get-WmiObject -Query "select * from Win32_Product" | ?{$_.Vendor - notmatch 'Microsoft’}

Logged on users

Get-WmiObject -Query "select * from Win32_LoggedOnUser" |  ?{$_.LogonType -notmatch '(Service|Network|System)’}

VMWARE detection

$VMAdapter=Get-WmiObject Win32_NetworkAdapter -Filter 
'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"' 
$VMBios=Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE 
"%VMware%"'
$VMToolsRunning=Get-WmiObject Win32_Process -Filter 
'Name="vmtoolsd.exe"'
[Bool]($VMAdapter -or $VMBios -or $VMToolsRunning)Gather domain DC and information

AD

We can enumerate remotely by adding /NODE:"<SERVER_NAME>" enumerating under other user context can be done adding /USER:"<DOMAIN>\<USER>" /PASSWORD:"<password>" ex:

wmic /NODE:"DOMAIN" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get *

enumerate groups:

Get-CimInstance –ClassName Win32_Group -Filter "DOMAIN = '<DOMAIN>'"

user accounts

Get-WMIObject –Class Win32_UserAccount -Filter "DOMAIN = '<DOMAIN>'"

Group user memberships

Get-CimInstance -ClassName Win32_Group -Filter "Domain = <DOMAIN>' AND Name='<GROUP_NAME>'"

Domain info

wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE

LDAP

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='<GROUP_NAME>'" Get ds_member /Value
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname