LOLAPI
Back to API Browser

WMI - Win32_Service.Create

⚠️ High Risk📁 Windows Com🏷️ persistence✅ Verified
#windows-com#persistence#lotl

🔧 API Details

Namespace

WbemScripting

Language

COM

Class

SWbemServices

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-service

📊 Risk Assessment

Severity

High

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

70%

🎯 MITRE ATT&CK Techniques

T1543.003

Click to view on MITRE ATT&CK

Abuse Scenarios

Service-based persistence

Technique: T1543.003

🚨 Common in Campaigns

Create Windows service for persistence

Code Example:

Get-WmiObject Win32_Service -Filter "Name='NewService'" | Invoke-WmiMethod -Name Create -ArgumentList "NewService","C:\\malware.exe"
Detection Difficulty: Easy

🔍 Detection Strategies

Microsoft Defender

MEDIUM Effectiveness

Behavioral detection based on API patterns

🛡️ Mitigation Strategies

monitoring

EASY Feasibility

Monitor usage of WMI - Win32_Service.Create

🕵️ Threat Intelligence

🔨 Tools

Cobalt Strike

Mimikatz

📋 Metadata

API ID

2e96e620-a34d-4a09-89b4-d32cd6d6e310

Created

2026-01-31

Author

Claw