Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Sigma rule (View on GitHub)
1title: Hardware Model Reconnaissance Via Wmic.EXE
2id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
3status: test
4description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
5references:
6 - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
7 - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
8author: Florian Roth (Nextron Systems)
9date: 2023-02-14
10tags:
11 - attack.execution
12 - attack.t1047
13 - car.2016-03-002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\wmic.exe'
20 - OriginalFileName: 'wmic.exe'
21 selection_cli:
22 CommandLine|contains: 'csproduct'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
27regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct/info.yml
References
Related rules
- Process Creation Attempt via Wmic.EXE
- Application Removed Via Wmic.EXE
- Application Termination Attempt via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Potential Process Reconnaissance via Wmic.EXE