The Windows Management Instrumentation Command-line (WMIC) is a software utility that allows users to perform Windows Management Instrumentation (WMI) operations with a command prompt.
The WMIC tool was introduced in Windows XP Professional and has been included in every version of Windows since. Furthermore, it can be used to manage every Windows version since Window 95, although 9x and NT require the Microsoft WMI Core add-on to be installed.
Using WMIC queries, incident responders can pull OS information, network information, running processes, running services, user account information, and other artifacts of evidentiary value from live systems.
In this post, I will discuss wmic commands I find very useful from a forensic standpoint.
WMIC Commands For Incident Response
.jpeg)
To get information about the computer system under investigation.
wmic computersystem list briefTo get information about the operating system
wmic os list brief
wmic os get Version, Caption, CountryCode, CSName, Description, InstallDate, SerialNumber, ServicePackMajorVersion, WindowsDirectory /format:list
wmic os get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpTime, NumberofProcesses, NumberofUsers, Organization, RegisteredUser, Status
To obtain information about the CPU.
wmic cpu get processorID
wmic cpu List instance
wmic cpu get Name, Caption, MaxClockSpeed, DeviceID, status
To find applications that start on boot
wmic startup get Caption, Command, Location, User
To retrieve BIOS information
wmic bios get smbiosbiosversion
wmic bios get name, version, serialnumber
To get information about boot configuration
wmic bootconfig get BootDirectory, Caption, TempDirectory, LastdriveTo find services that are set to start automatically
wmic service where StartMode="Auto" get Name, State
To get information about the hard disk drive
wmic diskdrive get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaTypeTo get information about the partitions in the hard disk.
wmic logicaldisk get Name, Compressed, Description, DriveType, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName
wmic partition get Caption, Size, PrimaryPartition, Status, Type
To obtain information about disk quota
wmic diskquota get User, Warninglimit, DiskSpaceUsed, QuotaVolumeTo obtain information about the Network Interface Card
wmic nic get AdapterType, AutoSense, Name, Installed, MACAddress, PNPDeviceID, PowerManagementSupported, Speed, StatusInfoTo obtain information about network configuration
wmic nicconfig get MACAddress, DefaultIPGateway, IPAddress, IPSubnet, DNSHostName, DNSDomain
wmic nicconfig get MACAddress, IPAddress, DHCPEnabled, DHCPLeaseExpires, DHCPLeaseObtained, DHCPServer
wmic nicconfig get MACAddress, IPAddress, DNSHostName, DNSDomain, DNSDomainSuffixSearchOrder, DNSEnabledForWINSResolution, DNSServerSearchOrder
wmic nicconfig get MACAddress, IPAddress, WINSPrimaryServer, WINSSecondaryServer, WINSEnableLMHostsLookup, WINSHostLookupFileTo get information about CDROM
wmic cdrom get Name, Drive, Volumename
To obtain information about environment variables
wmic environment get Description, Name, SystemVariable, VariableValue
To obtain information about groups
wmic group Caption, InstallDate, LocalAccount, Domain, SID, StatusTo get a list of IP interfaces
wmic nicconfig where IPEnabled='true'
To get information about the lists of all running processes
wmic process get Caption, CommandLine, Handle, HandleCount, PageFaults, PageFileUsage, PArentProcessId, ProcessId, ThreadCount
wmic process get name, processid, parentprocessid, executablepathAnalysing relationship between Process ID and Parent Process ID from the above commands can reveal malware.
To identify and analyse a particular process, say, svchost.exe typically manipulated by malicious actors
wmic process where (Name='svchost.exe') get name, processid, parentprocessid, executablepathTo get a list of all available attributes of all running process.
wmic process list fullTo spot odd executables
wmic process WHERE "NOT ExecutablePath LIKE '%WINDOWS%'"To obtain the executable paths of the above
wmic process WHERE "NOT ExecutablePath LIKE '%WINDOWS%'" Get ExecutablePathTo find the list of currently logged-on users.
wmic computersystem get name, usernameTo get a list of all users on the suspect system and their attributes.
wmic useraccount get Name, Domain, AccountType InstallDate, SID, Lockout
To determine the maximum RAM capacity.
wmic memphysical get Manufacturer, Model, SerialNumber, MaxCapacity, MemoryDevices
To determine where the pagefile.sys file is, along with some information about it.
wmic pagefile get Caption, CurrentUsage, Status, TempPageFile
To oobtain information about memory object caching system
wmic memcache get Name, BlockSize, Purpose, MaxCacheSize, Status
Identify any local system accounts that are enabled (guest, etc.)
wmic useraccount WHERE "Disabled=0 AND LocalAccount=1" GET Name
To obtain login information of users
wmic netlogin get Name, Fullname, ScriptPath, Profile, UserID, NumberOfLogons, PasswordAge, LogonServer, HomeDirectory, PrimaryGroupIDTo get the number of logons of a user ID
wmic netlogin where (name like "%Joseph") get numberoflogons //replace Joseph with appropri user IDTo obtain information about network protocol
wmic netprotocol get Caption, Description, GuaranteesSequencing, SupportsBroadcasting, SupportsEncryption, StatusTo find user-created shares (usually not hidden)
wmic share WHERE "NOT Name LIKE '%$'" get Name, PathTo obtain information about users accounts
wmic useraccount get AccountType, Description, Domain, Disabled, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID
To retrieve information about the desktop
wmic desktop get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:listTo retrieve information about desktop monitor
wmic desktopmonitor get screenheight, screenwidth
For event log queries
wmic ntevent where (LogFile='system' and SourceName='W32Time') get Message, TimeGenerated
wmic ntevent where (LogFile='system' and SourceName='W32Time' and Message like '%timesource%') get Message, TimeGenerated
wmic ntevent where (LogFile='system' and SourceName='W32Time' and EventCode!='29') get TimeGenerated, EventCode, Message
To obtain information about printers connected
wmic printer get DeviceID, DriverName, Hidden, Name, PortName, PowerManagementSupported, PrintJobDataType, VerticalResolution, Horizontalresolution
To obtain information about the registry
wmic Registry get CurrentSize, MaximumSize, ProposedSize, Status
To obtain information about system accounts
wmic sysaccount get Caption, Domain, Name, SID, SIDType, Status
To obtain information about time zone
wmic timezone get Caption, Bias, DaylightBias, DaylightName, StandardName
To obtain information about Memory chip
wmic memorychip get BankLabel, Capacity, Caption, CreationClassName, DataWidth, Description, Devicelocator, FormFactor, HotSwappable, InstallDate, InterleaveDataDepth, InterleavePosition, Manufacturer, MemoryType, Model, Name, OtherIdentifyingInfo, PartNumber, PositionInRow, PoweredOn, Removable, Replaceable, SerialNumber, SKU, Speed, Status, Tag, TotalWidth, TypeDetail, Version
This is by no means an exhaustive list of useful WMIC commands. You can do just about anything with it with respect to querying a machine or starting and stopping processes and services. The commands discussed here can be combined with those of an earlier post for a more robust incident response
Very insightful.
ReplyDeletePost a Comment