Computer System Reconnaissance Via Wmic.EXE
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Sigma rule (View on GitHub)
1title: Computer System Reconnaissance Via Wmic.EXE
2id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
3status: test
4description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
5references:
6 - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-08
9modified: 2023-02-14
10tags:
11 - attack.discovery
12 - attack.execution
13 - attack.t1047
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\wmic.exe'
20 - OriginalFileName: 'wmic.exe'
21 selection_cli:
22 CommandLine|contains: 'computersystem'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- HackTool - CrackMapExec Execution
- WMI Reconnaissance
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Application Removed Via Wmic.EXE