Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Sigma rule (View on GitHub)
1title: Process Reconnaissance Via Wmic.EXE
2id: 221b251a-357a-49a9-920a-271802777cc0
3status: test
4description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
7 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
8author: frack113
9date: 2022-01-01
10modified: 2023-02-14
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\WMIC.exe'
20 - OriginalFileName: 'wmic.exe'
21 selection_cli:
22 CommandLine|contains: 'process'
23 filter_main_creation:
24 CommandLine|contains|all:
25 # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
26 - 'call'
27 - 'create'
28 condition: all of selection* and not 1 of filter_*
29falsepositives:
30 - Unknown
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird
- Blue Mockingbird - Registry
- Computer System Reconnaissance Via Wmic.EXE