WMI Reconnaissance
Reconnaissance is harder to detect because it looks very similar to normal admin behavior. Even so, we detect a relatively high volume of adversaries leveraging WMI to quickly gather domain information such as users, groups, or computers in the domain. The following may help you detect related activity. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: WMI Reconnaissance
2id: 8a450075-e74f-4b19-9efa-b62a53f85bf8
3status: experimental
4description: |
5 Reconnaissance is harder to detect because it looks very similar to normal admin behavior.
6 Even so, we detect a relatively high volume of adversaries leveraging WMI to quickly gather
7 domain information such as users, groups, or computers in the domain. The following may help
8 you detect related activity. Part of the RedCanary 2024 Threat Detection Report.
9references:
10 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14 - attack.execution
15 - attack.t1047
16 - attack.discovery
17 - attack.t1087
18 - attack.t1087.002
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image|endswith: '\wmic.exe'
25 CommandLine|contains:
26 - '\ldap'
27 - 'ntdomain'
28 condition: selection
29falsepositives:
30 - Unknown
31level: low```
References
Related rules
- Office Products Spawning WMI
- Suspicious Commands - WMI
- Suspicious PowerShell Cmdlets - WMI
- Suspicious Process Lineage - WMI
- Unusual Module Loads - WMI