Endpoint Analysis using Windows tool - wmic
Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).
From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.
From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise.
We can use WMI to query a service, run the following syntax: wmic service get name, state, startmode, pathname
