Uncommon System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
Sigma rule (View on GitHub)
1title: Uncommon System Information Discovery Via Wmic.EXE
2id: 9d5a1274-922a-49d0-87f3-8c653483b909
3related:
4 - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
5 type: derived
6status: experimental
7description: |
8 Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
9 including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
10 and GPU driver products/versions.
11 Some of these commands were used by Aurora Stealer in late 2022/early 2023.
12references:
13 - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
14 - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
15 - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
16 - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
17 - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
18 - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
19author: TropChaud
20date: 2023/01/26
21modified: 2023/12/19
22tags:
23 - attack.discovery
24 - attack.t1082
25logsource:
26 category: process_creation
27 product: windows
28detection:
29 selection_wmic:
30 - Description: 'WMI Commandline Utility'
31 - OriginalFileName: 'wmic.exe'
32 - Image|endswith: '\WMIC.exe'
33 selection_commands:
34 CommandLine|contains:
35 - 'LOGICALDISK get Name,Size,FreeSpace'
36 - 'os get Caption,OSArchitecture,Version'
37 condition: all of selection_*
38falsepositives:
39 - Unknown
40level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Getting System Information with wmic on Windows CPU wmic cpu get name RAM wmic MEMPHYSICAL get MaxCapacity MB wmic baseboard get product MB Version wmic baseboard get version MB BIOS wmic bios get SMBIOSBIOSVersion GPU Name wmic path win32_VideoController get name GPU Driver wmic path win32_VideoController get DriverVersion
Read More -
Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset.
Read More -
CRIL analyzes Aurora, an information stealer leveraging Phishing pages imitating popular applications to infect users.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Related rules
- System Information Discovery Using sw_vers
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Potential Suspicious Activity Using SeCEdit
- Container Residence Discovery Via Proc Virtual FS