Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Sigma rule (View on GitHub)
1title: Potential Product Reconnaissance Via Wmic.EXE
2id: 15434e33-5027-4914-88d5-3d4145ec25a9
3status: test
4description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
5references:
6 - https://thedfirreport.com/2023/03/06/2022-year-in-review/
7 - https://www.yeahhub.com/list-installed-programs-version-path-windows/
8 - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
9author: Nasreddine Bencherchali
10date: 2023-02-14
11modified: 2025-12-15
12tags:
13 - attack.execution
14 - attack.t1047
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\wmic.exe'
21 - OriginalFileName: 'wmic.exe'
22 selection_cli:
23 CommandLine|contains: 'Product'
24 filter_main_call_operations:
25 # wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
26 CommandLine|contains:
27 - ' uninstall'
28 - ' install'
29 filter_main_csproduct:
30 # wmic /node:"#{node}" csproduct get name, identifyingnumber, uuid
31 # covered by 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
32 CommandLine|contains: 'csproduct'
33 condition: all of selection_* and not 1 of filter_main_*
34falsepositives:
35 - Unknown
36level: medium
37regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_product/info.yml
References
Related rules
- Application Removed Via Wmic.EXE
- Application Termination Attempt via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Potential Process Reconnaissance via Wmic.EXE