Computer System Reconnaissance Via Wmic.EXE
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Sigma rule (View on GitHub)
1title: Computer System Reconnaissance Via Wmic.EXE
2id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
3status: test
4description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
5references:
6 - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-08
9modified: 2023-02-14
10tags:
11 - attack.discovery
12 - attack.execution
13 - attack.t1047
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\wmic.exe'
20 - OriginalFileName: 'wmic.exe'
21 selection_cli:
22 CommandLine|contains: 'computersystem'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
27regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem/info.yml
References
Related rules
- Potential Process Reconnaissance via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- System Disk And Volume Reconnaissance Via Wmic.EXE
- Registry Enumeration via WMI Stdregprov
- HackTool - CrackMapExec Execution