Potential Product Reconnaissance Via Wmic.EXE

calendar Jan 1, 2024 · attack.execution attack.t1047  ·
Share on: linkedin copy

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Sigma rule (View on GitHub)

 1title: Potential Product Reconnaissance Via Wmic.EXE
 2id: 15434e33-5027-4914-88d5-3d4145ec25a9
 3status: test
 4description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
 5references:
 6    - https://thedfirreport.com/2023/03/06/2022-year-in-review/
 7    - https://www.yeahhub.com/list-installed-programs-version-path-windows/
 8    - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
 9author: Nasreddine Bencherchali
10date: 2023/02/14
11tags:
12    - attack.execution
13    - attack.t1047
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\wmic.exe'
20        - OriginalFileName: 'wmic.exe'
21    selection_cli:
22        CommandLine|contains: 'Product'
23    condition: all of selection_*
24falsepositives:
25    - Unknown
26level: medium

References

  • 2022 Year in Review - The DFIR Report

    As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More


    Read More

  • List all installed programs, version & path [Windows]

    WMIC is the console version of Windows Managament Instrumentation which is available from windows 2000 onwards. By Typing "wmic product get name" will shows you a list of all application names which is installed on your machine. Alternatively, you can even find all possible information in one command like "wmic product get name, version, installlocation"


    Read More

  • Software List - Inventory -WMIC Product - Microsoft Q&A

    Hi, I am trying to generate a list of the installed software using WMIC Product, but it seems like I am getting one a few items listed with command. See below screenshot for the installed product (available in Control Panel) and the WMIC Product…


    Read More

Related rules

to-top