WMIC Suspicious Commands
Detects adversaries leveraging WMI to gather domain information such as users, groups, AV product in use, or computers in the domain. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: WMIC Suspicious Commands
2id: 21a5815b-5db5-4e13-99e4-052ae6bbcdc1
3status: experimental
4description: Detects adversaries leveraging WMI to gather domain information such
5 as users, groups, AV product in use, or computers in the domain. Inspired by the
6 2022 Red Canary Threat Detection report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
9author: Micah Babinski
10date: 2022/11/03
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\wmic.exe'
20 CommandLine|contains:
21 - '\ldap'
22 - 'ntdomain'
23 - 'antivirusproduct'
24 - 'useraccount get'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium```
References
-
Windows Management Instrumentation (WMI) is a prevalent technique leveraged for lateral movement and discovery by adversaries.
Read More
Related rules
- Suspicious WMI-Related Powershell Cmdlets
- WMIC Suspicious Commands
- WMIC Suspicious Commands
- Base64 Encoding in CMD or Powershell
- Command Shell Bypassing Security Controls