Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Sigma rule (View on GitHub)
1title: Potential Product Reconnaissance Via Wmic.EXE
2id: 15434e33-5027-4914-88d5-3d4145ec25a9
3status: test
4description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
5references:
6 - https://thedfirreport.com/2023/03/06/2022-year-in-review/
7 - https://www.yeahhub.com/list-installed-programs-version-path-windows/
8 - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
9author: Nasreddine Bencherchali
10date: 2023-02-14
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\wmic.exe'
20 - OriginalFileName: 'wmic.exe'
21 selection_cli:
22 CommandLine|contains: 'Product'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: medium
References
-
As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report looks at the t…
Read More -
WMIC is the console version of Windows Managament Instrumentation which is available from windows 2000 onwards. By Typing "wmic product get name" will shows you a list of all application names which is installed on your machine. Alternatively, you can even find all possible information in one command like "wmic product get name, version, installlocation"
Read More -
Hi, I am trying to generate a list of the installed software using WMIC Product, but it seems like I am getting one a few items listed with command. See below screenshot for the installed product (available in Control Panel) and the WMIC Product…
Read More
Related rules
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird
- Blue Mockingbird - Registry
- Computer System Reconnaissance Via Wmic.EXE