public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-22 16:49:11 +02:00
Code Issues Projects Releases Wiki Activity

Update Wmic.yml (#355)

Browse Source
This commit is contained in:
Avihay Eldad 2024-09-15 19:31:17 +03:00 committed by GitHub
parent 9ee5548623
commit 9b1a98794b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
yml/OSBinaries/Wmic.yml
View File

@ -41,6 +41,13 @@ Commands:
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
- Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe"
Description: Copy file from source to destination.
Usecase: Copy file.
Category: Copy
Privileges: User
MitreID: T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\wbem\wmic.exe
- Path: C:\Windows\SysWOW64\wbem\wmic.exe
@ -60,6 +67,7 @@ Detection:
- IOC: Wmic retrieving scripts from remote system/Internet location
- IOC: DotNet CLR libraries loaded into wmic.exe
- IOC: DotNet CLR Usage Log - wmic.exe.log
- IOC: wmiprvse.exe writing files
Resources:
- Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
- Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
@ -67,3 +75,5 @@ Resources:
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Avihay Eldad
Handle: '@AvihayEldad'