Skip to content

Hide Navigation Hide TOC

Wmic (24f3b066-a533-4b6c-a590-313a67154ba0)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI

Author: Oddvar Moe

Paths: * C:\Windows\System32\wbem\wmic.exe * C:\Windows\SysWOW64\wbem\wmic.exe

Resources: * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html * https://twitter.com/subTee/status/986234811944648707

Detection: * Sigma: image_load_wmic_remote_xsl_scripting_dlls.yml * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Sigma: proc_creation_win_wmic_squiblytwo_bypass.yml * Sigma: proc_creation_win_wmic_eventconsumer_creation.yml * Elastic: defense_evasion_suspicious_wmi_script.toml * Elastic: persistence_via_windows_management_instrumentation_event_subscription.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: xsl_script_execution_with_wmic.yml * Splunk: remote_wmi_command_attempt.yml * Splunk: remote_process_instantiation_via_wmi.yml * Splunk: process_execution_via_wmi.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wmic retrieving scripts from remote system/Internet location * IOC: DotNet CLR libraries loaded into wmic.exe * IOC: DotNet CLR Usage Log - wmic.exe.log[LOLBAS Wmic]

Cluster A Galaxy A Cluster B Galaxy B Level
Magic Hound (7a9d653c-8812-4b96-81d1-b0a27ca918b4) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Chimera (ca93af75-0ffa-4df4-b86a-92d4d50e496e) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Phobos Ransomware Actors (f138c814-48c0-4638-a4d6-edc48e7ac23a) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Quantum Ransomware Actors (e75a1b98-be68-467f-a8df-bcb7671543b3) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software Hive Ransomware Actors (05cd82bb-f8fc-40f3-83ba-1586ef953d05) Tidal Groups 1
INC Ransom (8957f42d-a069-542b-bce6-3059a2fa0f2e) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
INC Ransomware Actors (Deprecated) (2cc28cf9-d030-4609-acdc-0b0429580bb4) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Blue Mockingbird (b82c6ed1-c74a-4128-8b4d-18d1e17e1134) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Volt Typhoon (4ea1245f-3f35-5168-bd10-1fc49142fd4e) Tidal Groups Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software 1
Wmic (24f3b066-a533-4b6c-a590-313a67154ba0) Tidal Software Indrik Spider (3c7ad595-1940-40fc-b9ca-3e649c1e5d87) Tidal Groups 1