Using WMIC for Red Teaming: A Guide for Pen Testers and Red Team Members

Red teaming is a vital aspect of information security, and it plays a crucial role in ensuring that organizations’ networks are adequately secured. However, for red teamers to be effective, they must have access to tools and techniques that can help them find and exploit vulnerabilities in an organization’s network. One such tool is Windows Management Instrumentation Command-line (WMIC). In this article, we will explore how red teamers can use WMIC to achieve their objectives.

What is WMIC?

Windows Management Instrumentation Command-line (WMIC) is a command-line interface that allows administrators to manage the Windows environment using scripts and tools. It is an interface to WMI, which is a management technology that is built into Windows operating systems. WMIC can perform a variety of administrative tasks, including querying system information, executing remote commands, and setting system configurations.

WMIC is a powerful tool that provides red teamers with access to critical system information and configurations. Red teamers can use this information to identify vulnerabilities, execute commands, and modify system configurations. Moreover, WMIC allows red teamers to perform these tasks remotely, which means that they can exploit vulnerabilities from a distance, making it an ideal tool for red teaming.

Using WMIC for Red Teaming

To use WMIC effectively for red teaming, red teamers must first understand the tool’s syntax and how it works. The syntax for WMIC is as follows:

WMIC [global switches] [command [arguments]]

The global switches are options that apply to all WMIC commands, while the command and arguments are specific to the particular command being executed.

Below are some of the most useful WMIC commands for red teaming:

wmic process list brief

This command displays a list of running processes on the target system. This information can be used by red teamers to identify processes that may be vulnerable to exploitation. For example, if a process is running with elevated privileges, red teamers can use this information to determine whether they can exploit the process to gain access to the target system.

wmic useraccount list full

This command displays a list of user accounts on the target system, including information about each user account, such as the account name, password status, and account type. This information can be used by red teamers to identify user accounts with weak passwords, which can be exploited to gain access to the target system.

wmic logicaldisk list brief

This command displays a list of logical disks on the target system, including information about each disk, such as the disk name, drive type, and file system. This information can be used by red teamers to identify disks that may contain sensitive data or other exploitable information.

wmic service list brief

This command displays a list of services on the target system, including information about each service, such as the service name, service status, and startup type. This information can be used by red teamers to identify services that may be vulnerable to exploitation.

wmic share list brief

This command displays a list of shares on the target system, including information about each share, such as the share name, share path, and share type. This information can be used by red teamers to identify shares that may contain sensitive data or other exploitable information.

Examples of Using WMIC for Red Teaming

Checking for Running Processes The wmic process list brief command can be used to check for running processes on the target system. For example, the following command can be used to check for the presence of the cmd.exe process:

wmic process list brief | find /i "cmd.exe"

If the cmd.exe process is running, the output of the command will display the process ID, process name, and other information about the process.

Once the red teamer has identified the process, they can use other tools and techniques to exploit it. For example, they can use a tool like Metasploit to launch a payload that can be used to gain access to the target system.

Enumerating User Accounts

The wmic useraccount list full command can be used to enumerate user accounts on the target system. For example, the following command can be used to display a list of user accounts and their corresponding password statuses:

wmic useraccount list full | find /i "password"

If a user account is found to have a weak password, the red teamer can use other tools and techniques to exploit the account and gain access to the target system.

Checking for Logical Disks

The wmic logicaldisk list brief command can be used to check for logical disks on the target system. For example, the following command can be used to check for the presence of a particular logical disk:

wmic logicaldisk list brief | find /i "C:"

If the C: drive is found, the red teamer can use other tools and techniques to explore the contents of the drive and identify sensitive data or other exploitable information.

Enumerating Services

The wmic service list brief command can be used to enumerate services on the target system. For example, the following command can be used to display a list of services and their corresponding startup types:

wmic service list brief | find /i "auto"

If a service is found to have an auto startup type, the red teamer can use other tools and techniques to exploit the service and gain access to the target system.

Enumerating Shares

The wmic share list brief command can be used to enumerate shares on the target system. For example, the following command can be used to display a list of shares and their corresponding share types:

wmic share list brief | find /i "disk"

If a share is found to be of type disk, the red teamer can use other tools and techniques to explore the contents of the share and identify sensitive data or other exploitable information.

Additional Tips for Using WMIC

Using WMIC with PowerShell

WMIC can be used with PowerShell to create more complex scripts that can automate tasks and help red teamers achieve their objectives more efficiently. For example, the following PowerShell script can be used to enumerate all user accounts on the target system and display their corresponding password statuses:

$accounts = wmic useraccount list full
foreach ($account in $accounts)
{
    if ($account -like "password")
    {
        Write-Host $account
    }
}

This script uses the wmic useraccount list full command to enumerate all user accounts on the target system and stores the results in the $accounts variable. The script then iterates through each account and checks to see if the account information contains the word “password.” If the word is found, the account information is displayed on the screen.

By using WMIC with PowerShell, red teamers can create more complex scripts that can automate tasks and help them achieve their objectives more efficiently.

Using WMIC with Batch Files

WMIC can also be used with batch files to perform more complex tasks. For example, the following batch file can be used to create a backup of a target system’s registry:

@echo off
set regpath="HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore"
set regbackup="C:\registry-backup.reg"
wmic /namespace:\root\default path stdregprov backup $regpath $regbackup

This batch file sets the registry path to be backed up and the file name of the backup file. It then uses WMIC to create a backup of the registry and saves it to the specified file.

By using WMIC with batch files, red teamers can perform more complex tasks and automate repetitive tasks.

Using WMIC with Remote Systems

WMIC can be used to perform administrative tasks on remote systems. For example, the following command can be used to display a list of running processes on a remote system:

wmic /node:"remotesystem" process list brief

This command uses the /node switch to specify the name of the remote system and the wmic process list brief command to display a list of running processes.

By using WMIC with remote systems, red teamers can perform administrative tasks on multiple systems simultaneously and from a distance, which can be an effective way to exploit vulnerabilities and gain access to target systems.

Using WMIC with Filters

WMIC can also be used with filters to narrow down the results of a query. For example, the following command can be used to display a list of running processes that have a specific name:

wmic process where "name='notepad.exe'" list brief

This command uses the where clause to filter the results of the wmic process list brief command to only display processes with the name “notepad.exe.”

By using WMIC with filters, red teamers can narrow down the results of a query and focus on specific information that is relevant to their objectives.

Conclusion

WMIC is a powerful tool that can be used by red teamers to identify vulnerabilities, execute commands, and modify system configurations. It provides red teamers with access to critical system information and configurations, which can be used to exploit vulnerabilities and gain access to target systems. Red teamers can use WMIC to perform a variety of administrative tasks, including querying system information, executing remote commands, and setting system configurations. WMIC is a valuable tool for red teaming, and red teamers should become familiar with its syntax and how it works. By using WMIC effectively, red teamers can achieve their objectives and help organizations improve their overall security posture.