There are several built-in Windows applications and tools that can be useful in offensive operations. Windows Management Instrumentation (WMI) provides an interface to management data and operations on Windows-based systems. WMI namespaces are hierarchical containers for classes, which expose methods and properties in order to manage Windows applications and services. PowerShell is one of the most popular methods to access WMI. Both the Get-WmiObject and Invoke-WmiMethod (Get-CimInstance and Invoke-CimMethod for PSV5) cmdlets are extremely useful when working with WMI, but what if you are conducting an engagement in an environment where PowerShell usage is heavily logged and monitored? Or there are other restrictions in place that prevent you from using PowerShell? Fear not, wmic, a command line tool, is still available to use on Windows. Wmic provides an alternative method to access WMI through the use of aliases. Each alias maps back to a specific WMI class. Wmic commands translate to a WMI query and return easily digestible output.
The wmic command line tool could prove to be highly valuable to a penetration tester in post-exploitation triage. It provides the ability to survey a remote system or execute commands without having to install an additional implant. This enables a penetration testers to selectively target systems based on what information is available, and how that can assist them in completing their objectives for an engagement. There is a great whitepaper from FireEye detailing the offensive and defensive uses for Wmi here. Also, @mattifestation put together some great research on Wmi usage here.
Let's take a look at some example usage. To become familiar with the available aliases, open a command prompt and type:
To further breakdown this command, the "alias" refers to the actual alias we are querying. The "List" verb specifies that the results should be formatted in a list format. Keep in mind that list verb is only permitted with an alias name. The last portion of the command, "brief", refers to how much of the output should be shown in the list. Brief will only show a few properties of each object, while "full" will show all object properties. You can run queries on remote hosts with the “/node” parameter and specify multiple hosts within a text file with @"c:\path\to\file". Wmic will also accept "/username" and "/password" flags for remote queries only. As a side note, if you are utilizing Gold/Silver (Kerberos) tickets and would like to run wmic commands on a remote host, you will need to use the "/AUTHORITY" flag with "kerberos:TargetDomainName\TargetComputerName". More information on that can be found here. Please note that the credentials provided must be that of a local administrator on the target host. Here is another example:
Each WMI class also contains methods that can be executed locally or remotely. Methods are invoked by using CALL [method name] [arguments]. To see the available methods for any class:
This will provide the methods available for the class as well as the required arguments, and their respective datatypes.
Filtering can be used in wmic to return specific results from queries that match criteria you specify. Use the where clause to only return instances that match a specified boolean expression.
|!= OR <>||not equal|
|>=||greater than or eq to|
|<=||less than or eq to|
For example, a query that only returns Win32_process instances that have match the name EMET:
Like is used for wildcard string matches, with '%' as wildcards. You can combine filters with the AND clause like so:
So here the alias we are querying is volume. This maps to a select * from Win32_Volume WMI Query Language (WQL) statement. Using the list argument for formatting is not necessary. Just providing the alias returns a nicely formatted table with all of the class instances and their properties. Aliases only provide access to a handful of wmi classes. The other classes can be accessed by using the namespace and path arguments.
There are several wmi classess that can provide tons of information and greatly aide a tester in becoming more familiar with their target environment. Below is a list of some helpful queries.