Sunday, May 31, 2020

Using WMIC to communicate with remote hosts

We can manager user accounts on a Windows computer using wmic commands. You can find commands for various operations below.

WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:
#wmic process list

Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
#wmic process list brief

Start an Application
#wmic process call create "calc.exe"

Terminate an Application
#wmic process where name="calc.exe" call terminate

Change Process Priority
#wmic process where name="explorer.exe" call setpriority 64

Get List of Process Identifiers
#wmic process where (Name='svchost.exe') get name,processid

Find a specific Process
#wmic process list brief find "cmd.exe"

You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list


OS/System Report HTML Formatted
#wmic /output:c:os.html os get /format:hform

Products/Programs Installed Report HTML Formatted
#wmic /output:c:product.html product get /format:hform

Turn on Remoted Desktop Remotely
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

Get Server Drive Space Usage Remotely
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

Get PC Serial Number
#wmic /node:<ID Address> bios get serialnumber

Get PC Product Number
#wmic /node:"HOST" baseboard get product

Find stuff that starts on boot
#wmic STARTUP GET Caption, Command, User

Reboot or Shutdown
#wmic os where buildnumber="2600" call reboot

Get Startup List
#wmic startup list full

Information About Harddrives
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Information about os
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm

Information about files
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt

The following global switches are available:
/NAMESPACE           Path for the namespace the alias operate against.
/ROLE                Path for the role containing the alias definitions.
/NODE                Servers the alias will operate against.
/IMPLEVEL            Client impersonation level.
/AUTHLEVEL           Client authentication level.
/LOCALE              Language id the client should use.
/PRIVILEGES          Enable or disable all privileges.
/TRACE               Outputs debugging information to stderr.
/RECORD              Logs all input commands and output.
/INTERACTIVE         Sets or resets the interactive mode.
/FAILFAST            Sets or resets the FailFast mode.
/USER                User to be used during the session.
/PASSWORD            Password to be used for session login.
/OUTPUT              Specifies the mode for output redirection.
/APPEND              Specifies the mode for output redirection.
/AGGREGATE           Sets or resets aggregate mode.
/AUTHORITY           Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>]    Usage information.



Use Case Examples 01:
Use of WMIC to query remote servers to get the hardware serial numbers.

In order to run against ab entire subnet and output to a text document, I used the below approach. This helps me to verify the inventory of computers.

I placed the IP list after node: node:ip1,ip2,ip3, or sometime used a text file when the list is so large with a file node:@file:

#wmic /node:@nodes.txt /user:administrator /password:mypassword /output:out.csv bios get serialnumber /format:csv

Use Case Example 02:
While investigating suspicious behaviours recorded on windows computers, I have some times seen entries shown as below which suspicious

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"


























0 comments: