WMIC Commands Used By Malware 

Malware doesn’t need fancy tools to be dangerous. Sometimes, all it takes is WMIC, a quiet, native utility that’s still doing damage.  

In the past weeks, we’ve seen a consistent pattern in some ANY.RUN sandbox sessions: malware keeps reaching for WMIC to do its dirty work.  

Let’s take a closer look at five WMIC command categories that cybercriminals still rely on today, and why they matter for defenders. 

Google News

If you’re monitoring threats, investigating suspicious behavior, or just want to understand how malware operates from the inside out, this is where you start. 

What Is WMIC? 

WMIC (Windows Management Instrumentation Command-line) is a built-in Windows tool that lets users and attackers interact with system components. It can query hardware info, modify settings, uninstall programs, and more. 

It was originally designed for administrators, but attackers love it because: 

  • It’s pre-installed on most Windows systems 
  • It doesn’t trigger immediate alarms 
  • It can be scripted easily in malware payloads 

Let’s break down the WMIC commands most commonly seen in malware samples. 

1. System Profiling: How Malware “Scans the Room” First 

Before malware makes its next move, it usually takes a moment to understand where it’s landed. Is it running on a real machine or a virtual one? What’s the operating system? What hardware is present? 

This stage is called system profiling, and attackers use it to: 

  • Avoid detection (like sandboxes or analysis tools) 
  • Tailor attacks based on the system setup 
  • Ensure persistence only on valuable or exploitable machines 

One of the easiest ways to gather this information is using the WMIC command-line tool built into Windows. 

Attackers run commands like: 

  • wmic os get locale: This tells them the system’s language and region settings (e.g., en-US, ru-RU, etc.). Some malware avoids executing in certain regions to stay under the radar. 
  • wmic csproduct get uuid: Grabs a unique hardware ID that helps detect if the malware is running in a virtual machine (a common analysis environment). 
  • wmic os get Caption: Returns the OS version (e.g., Windows 10 Pro), which helps decide if the system is a viable target 

These commands might seem small, but they’re a major clue during early infection. In fact, in a recent ANY.RUN sandbox session, we saw the Trox malware use wmic csproduct get uuid right after launch. 

Take a look at the Trox session here

In the Process Tree, you’ll notice WMIC.exe being executed. The exact command used here is wmic csproduct get uuid: 

wmic csproduct get uuid command detected by ANY.RUN sandbox 

Inside the sandbox, we also see the warnings triggered under two MITRE ATT&CK techniques: 

  • T1047 – Windows Management Instrumentation 
  • T1082 – System Information Discovery 

ANY.RUN flags these behaviors in real time, letting analysts quickly see that this sample is probing the environment, often a sign that malware is trying to avoid sandboxes or tailor its behavior. 

See every command, understand attacker behavior in real time, and stop threats before they spread -> Try ANY.RUN now 

System profiling is usually step one in an attack. If you catch it early, you can stop malware before it begins exfiltrating data, encrypting files, or digging deeper into the network. 

Tools like WMIC might be old, but they’re still incredibly useful for both sysadmins and threat actors. With ANY.RUN, spotting these behaviors is easy and instant. 

2. KMS Activation & System Info Collection: When Malware Masquerades As Software Installers 

In this case, malware behaves like a software activator. Think of tools that activate Microsoft products without a valid license, these are often abused by malware to either: 

  • Appear legitimate by mimicking normal activation behavior 
  • Or, more importantly, to query licensing and system info under the radar 

This trick is commonly seen in malware hidden inside third-party activators or cracked software installers. They may actually perform activation-related functions, but they often do much more behind the scenes. 

A typical command looks like: 

wmic path SoftwareLicensingService call InstallProductKey 

This installs a product key on the system, usually a routine action. But in the hands of malware, it can serve several stealthy purposes: 

  • Blend in with legitimate software: The activity mimics what users might expect from a cracked program or a third-party activator. 
  • Test system privileges: Running this command reveals whether the malware has the permissions it needs (like admin rights). 
  • Harvest licensing data: The response can help fingerprint the system or identify if the machine has been infected before. 

You may also see: 

wmic call RefreshLicenseStatus 

This command triggers a license check on the system, another behavior that can either reinforce the disguise or quietly collect status data. 

In a recent ANY.RUN sandbox session, we observed multiple WMIC.exe processes tied to activation-related commands, clearly not part of any normal system workflow. 

Take a look at this task log: 

Multiple WMIC commands being executed 

In this sandbox analysis session, you’ll notice: 

  • Repeated use of the SoftwareLicensingProduct and SoftwareLicensingService paths 
  • Calls to both InstallProductKey and RefreshLicenseStatus 
  • A hardcoded ApplicationID, reused across multiple commands, suggesting automation 

In the process timeline, these commands are scattered across short intervals, pointing to a scripted or stealthy attempt to simulate activation behavior. 

3. AV Evasion: Hiding In Plain Sight 

Some malware doesn’t try to disable antivirus software, it just steps around it. One of the easiest ways to do that is adding itself to the list of files that won’t be scanned. 

This tactic is known as AV evasion, and it’s surprisingly effective. Malware doesn’t need to kill the antivirus process or tamper with system files.

Instead, it quietly tells Windows Defender to ignore certain folders or paths, allowing the malicious files to run freely. 

Here’s the WMIC command used for this behavior: 

wmic /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=”C:\” 

This command tells Windows Defender to exclude the entire C:\ drive from scans. 

Yes, the whole system is now off-limits for real-time protection. 

Attackers may target specific folders too, like: 

Add ExclusionPath=”C:\Users\Public” 

This can make detection nearly impossible unless other defenses are in place. 

In this sandbox session with AsyncRat, we saw this exact command used early in the execution chain. 

View sandbox session with AsyncRat 

WMIC command detected by ANY.RUN sandbox 

Here’s what stands out in the ANY.RUN analysis: 

Command line exposed by ANY.RUN sandbox 
  • WMIC.exe is executed with a long namespace path to Microsoft Defender 
  • The command adds C:\ as an exclusion path 
  • No alerts are triggered by the system but ANY.RUN sandbox catches the behavior. 

You can also see that the command is linked to MITRE technique T1012 – Query Registry, since it interacts with Defender’s settings under the hood. 

Command line linked to T1012 – Query Registry 

This tactic doesn’t involve malware rewriting system files or crashing antivirus, it simply asks Defender not to look, and Defender obeys. 

It’s subtle. It’s quiet. And without behavioral analysis, it’s easy to miss. But in ANY.RUN’s sandbox, this move gets picked up instantly: 

  • The command line shows the exact exclusion added 
  • The process tree maps where and when it happened 
  • You can tie it to known malware behaviors like AsyncRat and link it to the attacker’s broader intent 

4. Shadow Copy Deletion: Burning The Recovery Bridge 

Once malware has encrypted your files or taken control of your system, it doesn’t want you undoing the damage. That’s where shadow copy deletion is used. 

Shadow copies are automatic backups created by Windows. They’re often your last chance to restore files after a ransomware attack. So, naturally, attackers wipe them out first. 

Some commonly seen commands for this purpose are: 

  • wmic bcdedit /set {default} recoveryenabled no: This disables the Windows recovery environment entirely, preventing the system from launching recovery tools during startup. 
  • vssadmin delete shadows /all /quiet: Silently deletes all existing shadow copies. 
  • wmic shadowcopy delete: Another method to remove previous restore points that users could use to roll back encrypted files. 

By combining these, attackers make sure the victim can’t recover files without paying. 

In this ANY.RUN sandbox session, the malware (identified as Chaos) ran a the command wmic shadowcopy delete to block recovery. 

wmic shadowcopy delete command detected by ANY.RUN sandbox 

Here’s what you’ll see inside the sandbox: 

  • WMIC.exe executes the command to disable the recovery environment 
  • The Process Tree clearly shows the execution order 
  • The behavior aligns with ransomware tactics, removing the user’s ability to recover files without backups 

By deleting shadow copies and disabling recovery tools, attackers increase the pressure on victims to pay the ransom.

These are destructive but subtle changes that don’t always trigger alarms, especially when done using built-in tools like WMIC. 

5. Uninstall / Persistence Removal: Cutting Off The Traces 

Not all malware wants to stick around forever. In some cases, attackers deliberately clean up after themselves, especially when their goal is a quick hit: run a payload, exfiltrate some data, and disappear without a trace. 

Other times, they use WMIC to terminate rival processes, disable competing malware, or kill security tools. This is part of what’s known as persistence removal or post-exploitation cleanup. 

Here’s some of the most straightforward WMIC commands used for this: 

wmic process call terminate 

This command attempts to terminate a running process, any process it has permission to kill. Malware might use this to: 

  • Shut down security monitoring tools 
  • Disable other malware or competing software 
  • Kill its own processes after completing a task 

Attackers often pair this with a filter to target specific executables. For example: 

wmic process where “name=’svchost.exe'” call terminate 

For instance, in this sandbox session, malware used WMIC to issue a termination command targeting a suspicious file located in the Public directory. 

Take a look at the detection:  View analysis session 

Process termination command in ANY.RUN sandbox 
  • The process path includes C:\Users\Public\Program Files\svchost.exe, which is not a legitimate location for svchost.exe 
  • The command was executed via WMIC.exe, using a process filter 
  • ANY.RUN flagged this with a warning: “Likely accesses (executes) a file from the Public directory” 

This is a strong sign that the malware either launched a payload from an unusual location and is now terminating it to cover its tracks, or is targeting a competing process or tool running from that same path. 

Why Catching WMIC Activity Early Can Save You from Bigger Damage 

If there’s one thing these five command categories reveal, it’s this: WMIC is still a go-to tool for malware, and it’s often used in the earliest stages of an attack. 

From system profiling and antivirus evasion to deleting backups and terminating processes, these WMIC commands may look small on their own but together, they form a blueprint for how attackers: 

  • Stay hidden 
  • Disable defenses 
  • Lock down systems 
  • And make recovery nearly impossible 

That’s why real-time visibility into WMIC activity is important. 

How ANY.RUN Helps You Stay Ahead of WMIC-Based Threats 

ANY.RUN’s interactive sandbox makes it easy to detect and understand how malware uses WMIC. Here’s how it works in your favor: 

  • See every WMIC command executed: Full command-line visibility, including arguments and execution time. 
  • Catch stealthy behaviors instantly: From Defender exclusions to shadow copy deletions, ANY.RUN flags actions that AV tools often miss. 
  • Visualize process relationships: The process tree shows exactly when and where WMIC is called and what it triggers next. 
  • Map to MITRE ATT&CK: Behaviors are automatically linked to ATT&CK techniques like T1082 (System Info Discovery) and T1490 (Inhibit System Recovery). 
  • Collaborate faster: Share live sessions, generate reports, and coordinate with your team in real time. 
  • Reduce investigation time: See behavior unfold live instead of digging through logs post-infection. 

Whether you’re part of a blue team, threat intel group, or an incident response team, ANY.RUN helps you move from “What happened?” to “Here’s exactly what the malware did” in minutes, instead of hours. 

Don’t Let Silent Commands Turn Into Full-Blown Incidents 

Built-in tools like WMIC might seem harmless but in the wrong hands, they’re the quiet start of something much worse. 

With real-time visibility into command-line activity, process behavior, and post-exploitation tactics, you can catch these threats before they become ransomware events or full system compromises. 

Start your 14-day trial of ANY.RUN and see exactly how malicious processes unfold live, in an interactive sandbox. 

Balaji N
Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.
Linkedin Twitter