System Disk And Volume Reconnaissance Via Wmic.EXE

calendar Oct 20, 2025 · attack.execution attack.discovery attack.t1047 attack.t1082  ·
Share on: linkedin copy

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the 'wmic' command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Sigma rule (View on GitHub)

 1title: System Disk And Volume Reconnaissance Via Wmic.EXE
 2id: c79da740-5030-45ec-a2e0-479e824a562c
 3related:
 4    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
 5      type: similar
 6status: test
 7description: |
 8    An adversary might use WMI to discover information about the system, such as the volume name, size,
 9    free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
10    observed being used by threat actors such as Volt Typhoon.    
11references:
12    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
13    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
14author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
15date: 2024-02-02
16modified: 2025-10-20
17tags:
18    - attack.execution
19    - attack.discovery
20    - attack.t1047
21    - attack.t1082
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\WMIC.exe'
28        - OriginalFileName: 'wmic.exe'
29    selection_cli:
30        - CommandLine|contains:
31              - ' volumename'
32              - ' logicaldisk'
33        - CommandLine|contains|all:
34              - 'path'
35              - 'win32_logicaldisk'
36        - CommandLine|contains|all:
37              - ' volume'
38              - ' list '
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: medium

References

Related rules

to-top