System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the wmic
command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
Sigma rule (View on GitHub)
1title: System Disk And Volume Reconnaissance Via Wmic.EXE
2id: c79da740-5030-45ec-a2e0-479e824a562c
3related:
4 - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
5 type: similar
6status: test
7description: |
8 An adversary might use WMI to discover information about the system, such as the volume name, size,
9 free space, and other disk information. This can be done using the `wmic` command-line utility and has been
10 observed being used by threat actors such as Volt Typhoon.
11references:
12 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
13 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
14author: Stephen Lincoln `@slincoln-aiq`(AttackIQ)
15date: 2024-02-02
16tags:
17 - attack.execution
18 - attack.discovery
19 - attack.t1047
20 - attack.t1082
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith: '\WMIC.exe'
27 - OriginalFileName: 'wmic.exe'
28 selection_cli:
29 CommandLine|contains:
30 - 'volume'
31 - 'path win32_logicaldisk'
32 condition: all of selection_*
33falsepositives:
34 - Unknown
35level: medium
References
Related rules
- HackTool - PCHunter Execution
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Computer System Reconnaissance Via Wmic.EXE
- HackTool - CrackMapExec Execution