Thiago Teixeira

EN | PT

WMI

WMIC

Microsoft

Windows Management Instrumentation command-line — query host data for live IR.

Endpoint Analysis Built-in OS CLI Learning Windows

Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

WMIC (wmic.exe) is the legacy CLI front-end to Windows Management Instrumentation (WMI). Although Microsoft deprecates it in modern Windows, it is still common on hosts and shows up in many CySA+ scenarios.

It is also a heavily abused living-off-the-land binary (LOLBin) — attackers use WMI for lateral movement, persistence (event subscriptions), and reconnaissance, so analysts must be able to read WMI command lines from logs.

Replacement: PowerShell Get-CimInstance.

Use cases

Live IR enumeration of processes, services, drives
Detecting WMI-based persistence and lateral movement
Quick remote queries (WMIC /node:host)

Example

wmic process list full /format:list
wmic service get name,startmode,pathname,startname
wmic /node:"WS-01" computersystem get model,manufacturer