WMI Query

NOTE: The wmispawn command was renamed to wmiquery in v1.0 release.

Windows Management Instrumentation (WMI) is Web-Based Enterprise Management (WBEM) solution, often used by administrators to manage servers and computers across an Active Directory environment. It is based on the Common Information Model (CIM) industry standard which uses a structured query language known as WQL to manage different components across a network over RPC. This command can be used to query WMI COM Server locally or remotely in memory. Usually, WMI is executed via powershell or wmic.exe, but Microsoft provides COM DLLs which can be used to interact with COM objects. Badger provides set_wmiconfig, get_wmiconfig, reset_wmiconfig and wmiquery to configure the wmi namespace, domain, username and password to interact with remote system. The below figure shows an unprivileged badger which does not have any privileges on the DC (BRDC01). The default configuration of WMI in badger is set to use the “ROOT\CIMV2” namespace with no username or password, which means it will run WMI queries on the local system.

The namepsace can be configured to something like \\hostname\root\cimv2 along with credentials using the set_wmiconfig command. Once this has been configured, all queries performed using wmiquery will use this configuration. The below figure shows the badger querying a target host after configuring the WMI credentials and namespace.

The get_wmiconfig and reset_wmiconfig can be used to retrieve or reset WMI configuration for the badger. The default (reset) is (null) for credentials and ROOT//CIMV2 for the WMI namespace.