Computer System Reconnaissance Via Wmic.EXE

Jan 1, 2024 · attack.discovery attack.execution attack.t1047 ·

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Sigma rule (View on GitHub)

 1title: Computer System Reconnaissance Via Wmic.EXE
 2id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
 3status: test
 4description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
 5references:
 6    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/09/08
 9modified: 2023/02/14
10tags:
11    - attack.discovery
12    - attack.execution
13    - attack.t1047
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_img:
19        - Image|endswith: '\wmic.exe'
20        - OriginalFileName: 'wmic.exe'
21    selection_cli:
22        CommandLine|contains: 'computersystem'
23    condition: all of selection_*
24falsepositives:
25    - Unknown
26level: medium

References

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Read More

Computer System Reconnaissance Via Wmic.EXE

Sigma rule (View on GitHub)

References

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Related rules