Up until Powershell version v2 we had only wmi commands
From Powershell version v3, we have access to CIM cmdlets
CIM
Command Information Model
Uses WS-MAN and CIM standards to manage objects.
Can be used if WMI is blocked but WSMAN (WinRM) is enabled.
CIM is aligned to the standards of DMTF (Distributed Management Task Force) which means it can work with non-windows box as well. NOTE: WMI is Windows oriented version of CIM
Every Namespace has class called __Namespace that can be used to query classes in that particular namespace.
by default root\CIMv2 is used to query class.
# If we query a class without specifying namespace, "root\CIMv2 is used"
Get-WmiObject -Class Win32_Process
# Recursive function to list all the Namespaces in the system.
function Get-WmiNamespace {
param (
$Namespace = 'root'
)
Get-WmiObject -Namespace $Namespace -Class __Namespace | forEach-Object {
($ns = '{0}\{1}' -f $_.__Namespace,$_.Name)
Get-WmiNamespace $ns
}
}
Classes
Classes represents, process, harware, service etc.
Categories
Core Classes: represents managed object that apply to all areas of management. Example - __SystemSecurity class
Common Classes: Extension of core classes. for specific management areas. Prefixed with CIM_ . Example - CIM_UnitaryComputerSystem
Extended Classes: Technology specific addition to common classes. Example - Win32_ComputerSystem
Types
Abstract - Template Class used to define new classes. Cannot be used to retrieve instances.
Static - Stores data like WMI configuration and operational data.
Dynamic - Retrieved from a provider and represent a WMI managed object. Things like process, services and System.
Association - Describes a relationship between two classes or managed resources
Querying Classes with WMI
Classes can be listed with -List option
# List all classes in default "root\CIMv2" namespace
Get-WmiObject -List
Get-WmiObject -Class * -List
# Search class
Get-WmiObject -Class *bios* -List
# Search for specific classes in another namespace
Get-WmiObject -Namespace root\security -Class *bios* -List
Querying Classes with CIM
# List all classes in default "root\CIMv2" namespace
Get-CimClass
# Search for a class
Get-CimClass -Class *bios*
# List only dynamic classes, from which instances can be retrieved
Get-CimClass -QualifierName dynamic
Objects
Querying Objects with WMI
# Lists all the instances of the class "Win32_BIOS"
Get-WmiObject -Class Win32_BIOS
Querying Objects with CIM
# Lists all the instances of the class "Win32_BIOS"
Get-CimInstance -ClassName Win32_BIOS
Filtering Objects/Instances
-Filter Parameter
-Filter "Name = 'explorer.exe'"
Where-Object cmdlet (slower than -Filter)
Where-Object {$_.name -eq "svchost.exe"}
#OR
Where-Object name -eq "svchost.exe"
-Query Parameter
# similar to sql
-Query "select * from Win32_Process where Name = 'lsass.exe'"
Removing an Object
We can use the Remove-WmiObject to remove the object returned by Get-WmiObect
# This is equivalent to killing the process
Get-WmiObject -Class win32_process | Where-Object {$_.Name -Like "*notepad*"} | Remove-WmiObject
Get-CimInstance -Class win32_process | Where-Object {$_.Name -Like "*notepad*"} | Remove-CimInstance
Methods
Find all classes in a Namespace that has methods
# WMI
Get-WmiObject -List | Where-Object {$_.Methods}
# CIM
Get-Cimclass -MethodName *
# Search for a specific class
Get-CimClass -MethodName create
[!NOTE] Mention of static in qualifiers indicates that the method is a static method. Can be called directly with Class without creating an object. For example Create is a static method, and can be called via class to create a process
Relationship between WMI classes which is used to get information about object not avialable in single class.
Class associations can be found here : https://raw.githubusercontent.com/dfinke/images/master/acn.png
For Example there are three class that deals with network configurations:
Win32_NetworkAdapter
Win32_NetworkAdapterConfigrations
Win32_networkAdapterSettings
Associators can be used to gather information from all these class
__RELPATH property of the object can be used to map associators.
# WMI
# Get-WmiObject -Query "Associators of {__RELPATH VALUE}"
# This lists out any object with the association
Get-WmiObject -Query "Associators of {Win32_NetworkAdapter.DeviceID=0}"
# To get only the list of associated class name we can run
Get-WmiObject -Query "Associators of {Win32_NetworkAdapter.DeviceID=0 where classDefsOnly}"
# CIM
Get-CimAssociatedInstance -InputObject (Get-CimInstance -Class Win32_NetworkAdapter -Filter "DeviceID = 0")
References
To get list of class that links two classes together i.e. the class that links a class and an accociated class, we can use Reference of WMI query to list the classes
# list references objects
Get-WmiObject -Query "References of {Win32_NetworkAdapter.DeviceID=0}"
# list references class list only
Get-WmiObject -Query "References of {Win32_NetworkAdapter.DeviceID=0} where ClassDefsOnly"
WMI Clients
wmic
Windows command line utlity by microsoft to manage wmi.
wmic has been deprecated.
Might not be mointored by Blue Team.
# For interactive wmic session
wmic
# List help from interactive session
wmic:root\cli> /?
# list help about a namespace
wmic:root\cli>process /?
# non interactive use
wmic process /?
Other Clients:
Sapient WMI explorer
WMI Code Generator by Microsoft
WMIGen.exe
Wbemtest.exe
Powershell WMI Browser
.NET.System.Management Class
Remote Computers
WMI
Uses DCOM on port 135 for establishing connection (default - Winmgmgt service)
Admin privs are needed to access WMI on remote machines
Supports -ComputerName parameter
Not firewall and NAT friendly.
Data exchange is done on dynamics ports. The ports are configured by HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet
