Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Useful Wmic queries for host and domain enumeration
Host Enumeration:
--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)
wmic computersystem LIST full
--- Anti-Virus ---
wmic /namespace:\\root\securitycenter2 path antivirusproduct
--- Peripherals ---
wmic path Win32_PnPdevice
--- Installed Updates ---
wmic qfe list brief
--- Directory Listing and File Search ---
wmic DATAFILE where "path='\\Users\\test\\Documents\\'" GET Name,readable,size
wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE
--- Local User Accounts ---
wmic USERACCOUNT Get Domain,Name,Sid
Domain Enumeration:
--- Domain and DC Info ---
wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE
--- Domain User Info ---
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='testAccount'" GET
--- List All Users ---
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
--- List All Groups ---
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
--- Members of A Group ---
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="YOURDOMAINHERE"")
--- List All Computers ---
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname
OR
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname
Misc:
--- Execute Remote Command ---
wmic process call create "cmd.exe /c calc.exe"
--- Enable Remote Desktop ---
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
OR
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
@vysecurity

This comment has been minimized.

Copy link

vysecurity commented Oct 16, 2017

Should be qfe list brief

@DanMcInerney

This comment has been minimized.

Copy link

DanMcInerney commented Jul 13, 2018

Domain user information results in "invalid query" with valid user. Need something after GET, like /value.

@DanMcInerney

This comment has been minimized.

Copy link

DanMcInerney commented Jul 13, 2018

Also should be noted if you're using wmic for getting domain group membership, you're going to get only the LDAP results which include the CN, but you're not going to be returned the actual Windows username. I'm trying to figure out how to do that now. I'll edit this post if I figure it out.

Got it:
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="YOURDOMAINHERE"")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.