Potential Process Reconnaissance via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which might indicate an attempt to perform reconnaissance on running processes. Adversaries may use wmic to query for running processes and their details as part of their reconnaissance efforts.
Sigma rule (View on GitHub)
1title: Potential Process Reconnaissance via Wmic.EXE
2id: 221b251a-357a-49a9-920a-271802777cc0
3status: test
4description: |
5 Detects the execution of "wmic" with the "process" flag, which might indicate an attempt to perform reconnaissance on running processes.
6 Adversaries may use wmic to query for running processes and their details as part of their reconnaissance efforts.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
9 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
10author: frack113
11date: 2022-01-01
12modified: 2025-12-15
13tags:
14 - attack.execution
15 - attack.t1047
16 - attack.discovery
17 - attack.t1057
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\WMIC.exe'
24 - OriginalFileName: 'wmic.exe'
25 selection_cli:
26 CommandLine|contains: 'process'
27 filter_main_creation:
28 CommandLine|contains|all:
29 # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
30 - 'call'
31 - 'create'
32 filter_main_terminate:
33 CommandLine|contains|all:
34 # Rule id 49d9671b-0a0a-4c09-8280-d215bfd30662 for `wmic path win32_process where processid=#{processid_to_terminate} call terminate`
35 - 'call'
36 - 'terminate'
37 condition: all of selection* and not 1 of filter_main_*
38falsepositives:
39 - Unknown
40level: medium
41simulation:
42 - type: atomic-red-team
43 name: WMI Reconnaissance Processes
44 technique: T1047
45 atomic_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
46regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_process/info.yml
References
Related rules
- Computer System Reconnaissance Via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- System Disk And Volume Reconnaissance Via Wmic.EXE
- Registry Enumeration via WMI Stdregprov
- HackTool - CrackMapExec Execution