Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
Sigma rule (View on GitHub)
1title: Potential Product Class Reconnaissance Via Wmic.EXE
2id: e568650b-5dcd-4658-8f34-ded0b1e13992
3status: test
4description: |
5 Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
6 Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
7 This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
8references:
9 - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
10 - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
11 - https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
12author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2023-02-14
14modified: 2025-03-17
15tags:
16 - attack.execution
17 - attack.t1047
18 - attack.discovery
19 - attack.t1082
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\wmic.exe'
26 - OriginalFileName: 'wmic.exe'
27 selection_cli:
28 # Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
29 CommandLine|contains:
30 - 'AntiVirusProduct'
31 - 'AntiSpywareProduct'
32 - 'FirewallProduct'
33 condition: all of selection_*
34falsepositives:
35 - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
36level: medium
References
-
Notes and IoCs of fresh malware. Contribute to albertzsigovits/malware-notes development by creating an account on GitHub.
Read More -
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Read More -
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.
Read More
Related rules
- System Disk And Volume Reconnaissance Via Wmic.EXE
- HackTool - PCHunter Execution
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Computer System Reconnaissance Via Wmic.EXE