Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Sigma rule (View on GitHub)
1title: Hardware Model Reconnaissance Via Wmic.EXE
2id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
3status: test
4description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
5references:
6 - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
7 - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
8author: Florian Roth (Nextron Systems)
9date: 2023-02-14
10tags:
11 - attack.execution
12 - attack.t1047
13 - car.2016-03-002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\wmic.exe'
20 - OriginalFileName: 'wmic.exe'
21 selection_cli:
22 CommandLine|contains: 'csproduct'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
-
Often used in MDT to ensure certain drivers or applications only get installed on certain hardware types, WMI queries on Model are very useful for Windows deployments to physical machines. The foll…
Read More -
New discovery by the Uptycs Threat Research Team of a malware builder tool harvesting passwords and screenshots that are then delivered to attackers via Discord webhooks, and insights into the author of the malware.
Read More
Related rules
- New Process Created Via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird