.. /Register-cimprovider.exe
Star

Used to register new wmi providers

Paths:

C:\Windows\System32\Register-cimprovider.exe
C:\Windows\SysWOW64\Register-cimprovider.exe

Resources:

https://twitter.com/PhilipTsukerman/status/992021361106268161

Acknowledgements:

Philip Tsukerman (@PhilipTsukerman)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/35a7244c62820fbc5a832e50b1e224ac3a1935da/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml
IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious

Execute

Load the target .DLL.
```
Register-cimprovider -path "C:\folder\evil.dll"
```
Use case
Execute code within dll file

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218

Tags
Execute: DLL
This LOLBAS executes Dynamic-Link Libraries (DLLs).