Uncommon System Information Discovery Via Wmic.EXE

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Sigma rule (View on GitHub)

 1title: Uncommon System Information Discovery Via Wmic.EXE
 2id: 9d5a1274-922a-49d0-87f3-8c653483b909
 3related:
 4    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
 5      type: derived
 6status: experimental
 7description: |
 8    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
 9    including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
10    and GPU driver products/versions.
11    Some of these commands were used by Aurora Stealer in late 2022/early 2023.    
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
14    - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
15    - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
16    - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
17    - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
18    - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
19author: TropChaud
20date: 2023-01-26
21modified: 2023-12-19
22tags:
23    - attack.discovery
24    - attack.t1082
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_wmic:
30        - Description: 'WMI Commandline Utility'
31        - OriginalFileName: 'wmic.exe'
32        - Image|endswith: '\WMIC.exe'
33    selection_commands:
34        CommandLine|contains:
35            - 'LOGICALDISK get Name,Size,FreeSpace'
36            - 'os get Caption,OSArchitecture,Version'
37    condition: all of selection_*
38falsepositives:
39    - Unknown
40level: medium

References

Related rules

to-top