Uncommon System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
Sigma rule (View on GitHub)
1title: Uncommon System Information Discovery Via Wmic.EXE
2id: 9d5a1274-922a-49d0-87f3-8c653483b909
3related:
4 - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
5 type: derived
6status: experimental
7description: |
8 Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
9 including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
10 and GPU driver products/versions.
11 Some of these commands were used by Aurora Stealer in late 2022/early 2023.
12references:
13 - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
14 - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
15 - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
16 - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
17 - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
18 - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
19author: TropChaud
20date: 2023-01-26
21modified: 2023-12-19
22tags:
23 - attack.discovery
24 - attack.t1082
25logsource:
26 category: process_creation
27 product: windows
28detection:
29 selection_wmic:
30 - Description: 'WMI Commandline Utility'
31 - OriginalFileName: 'wmic.exe'
32 - Image|endswith: '\WMIC.exe'
33 selection_commands:
34 CommandLine|contains:
35 - 'LOGICALDISK get Name,Size,FreeSpace'
36 - 'os get Caption,OSArchitecture,Version'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: medium
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing
- HackTool - PCHunter Execution