Process Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.

Sigma rule (View on GitHub)

 1title: Process Reconnaissance Via Wmic.EXE
 2id: 221b251a-357a-49a9-920a-271802777cc0
 3status: test
 4description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
 7    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
 8author: frack113
 9date: 2022/01/01
10modified: 2023/02/14
11tags:
12    - attack.execution
13    - attack.t1047
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\WMIC.exe'
20        - OriginalFileName: 'wmic.exe'
21    selection_cli:
22        CommandLine|contains: 'process'
23    filter_main_creation:
24        CommandLine|contains|all:
25            # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
26            - 'call'
27            - 'create'
28    condition: all of selection* and not 1 of filter_*
29falsepositives:
30    - Unknown
31level: medium

References

Related rules

to-top