[RedDev Series #3] Spawn Process From WMI In C++

COM object provides another options to create a new process besides using common Windows APIs such as CreateProcess or ShellExecute.

For threat actor, the good way of this kind of process creation is that the wmiprvse.exe will break the process chain from its parent process as it is initiated from the COM object. So the new child process spawned will have no PID chain relationship with the initiator process wmi_create_process.exe. This will makes investigation slightly difficult.