Register-CimProvider.exe
- File Path:
C:\windows\system32\Register-CimProvider.exe - Description: WMI
Hashes
| Type | Hash |
|---|---|
| MD5 | 99F2485F0AA3BC7CFD417A63786CA234 |
| SHA1 | 00DEB3C56DB95B5EDD8CD3A6466B5CF25638798C |
| SHA256 | 31F86C733174CF69AF7430CC4E09D833BA531B87AC9FED6B9CDB0736C68483FF |
| SHA384 | E0EA9A19CDB3E0E4B1B61171DC523DE95ED03A66DC479FA66AC8CBB7D1B9E22AB4C6A55C21126320A438A87A53635BAF |
| SHA512 | EE45B7A320CFCD21E6AD27B5BC3DAC8E89A8774898B2886E1B5C777130780031AC4A4F88C5C39BE829BDBCFD1F9294995F4A6A334BEC750F1DAD342A4AAFE719 |
| SSDEEP | 384:JnT3JsHVzYJsVVwJ6GtMIrWdi8FteoWABWfiilhxfW81Wu:PAzYJsXAMIrRmtexAEfiilhxHZ |
Signature
- Status: The file C:\windows\system32\Register-CimProvider.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: Register-CimProvider2.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of Register-CimProvider.exe being misused. While Register-CimProvider.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_register_cimprovider.yml | title: DLL Execution Via Register-cimprovider.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_register_cimprovider.yml | description: Detects using register-cimprovider.exe to execute arbitrary dll file. |
DRL 1.0 |
| sigma | proc_creation_win_susp_register_cimprovider.yml | - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md |
DRL 1.0 |
| sigma | proc_creation_win_susp_register_cimprovider.yml | Image\|endswith: '\register-cimprovider.exe' |
DRL 1.0 |
| LOLBAS | Register-cimprovider.yml | Name: Register-cimprovider.exe |
|
| LOLBAS | Register-cimprovider.yml | - Command: Register-cimprovider -path "C:\folder\evil.dll" |
|
| LOLBAS | Register-cimprovider.yml | - Path: C:\Windows\System32\Register-cimprovider.exe |
|
| LOLBAS | Register-cimprovider.yml | - Path: C:\Windows\SysWOW64\Register-cimprovider.exe |
|
| LOLBAS | Register-cimprovider.yml | - IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious |
|
| atomic-red-team | index.md | - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | - Atomic Test #3 - Register-CimProvider - Execute evil dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | ## Atomic Test #3 - Register-CimProvider - Execute evil dll | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.