System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the wmic command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
Sigma rule (View on GitHub)
1title: System Disk And Volume Reconnaissance Via Wmic.EXE
2id: c79da740-5030-45ec-a2e0-479e824a562c
3related:
4 - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
5 type: similar
6status: experimental
7description: |
8 An adversary might use WMI to discover information about the system, such as the volume name, size,
9 free space, and other disk information. This can be done using the `wmic` command-line utility and has been
10 observed being used by threat actors such as Volt Typhoon.
11references:
12 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
13 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
14author: Stephen Lincoln `@slincoln-aiq`(AttackIQ)
15date: 2024/02/02
16tags:
17 - attack.execution
18 - attack.discovery
19 - attack.t1047
20 - attack.t1082
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith: '\WMIC.exe'
27 - OriginalFileName: 'wmic.exe'
28 selection_cli:
29 CommandLine|contains:
30 - 'volume'
31 - 'path win32_logicaldisk'
32 condition: all of selection_*
33falsepositives:
34 - Unknown
35level: medium
References
-
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA
The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with ...
Read More
Related rules
- Computer System Reconnaissance Via Wmic.EXE
- HackTool - PCHunter Execution
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- HackTool - CrackMapExec Execution