System Disk And Volume Reconnaissance Via Wmic.EXE

calendar Aug 12, 2024 · attack.execution attack.discovery attack.t1047 attack.t1082  ·
Share on: linkedin copy

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Sigma rule (View on GitHub)

 1title: System Disk And Volume Reconnaissance Via Wmic.EXE
 2id: c79da740-5030-45ec-a2e0-479e824a562c
 3related:
 4    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
 5      type: similar
 6status: experimental
 7description: |
 8    An adversary might use WMI to discover information about the system, such as the volume name, size,
 9    free space, and other disk information. This can be done using the `wmic` command-line utility and has been
10    observed being used by threat actors such as Volt Typhoon.    
11references:
12    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
13    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
14author: Stephen Lincoln `@slincoln-aiq`(AttackIQ)
15date: 2024-02-02
16tags:
17    - attack.execution
18    - attack.discovery
19    - attack.t1047
20    - attack.t1082
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\WMIC.exe'
27        - OriginalFileName: 'wmic.exe'
28    selection_cli:
29        CommandLine|contains:
30            - 'volume'
31            - 'path win32_logicaldisk'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: medium

References

Related rules

to-top