System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the 'wmic' command-line utility and has been observed being used by threat actors such as Volt Typhoon.
Sigma rule (View on GitHub)
1title: System Disk And Volume Reconnaissance Via Wmic.EXE
2id: c79da740-5030-45ec-a2e0-479e824a562c
3related:
4 - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
5 type: similar
6status: test
7description: |
8 An adversary might use WMI to discover information about the system, such as the volume name, size,
9 free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
10 observed being used by threat actors such as Volt Typhoon.
11references:
12 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
13 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
14author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
15date: 2024-02-02
16modified: 2025-10-20
17tags:
18 - attack.execution
19 - attack.discovery
20 - attack.t1047
21 - attack.t1082
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\WMIC.exe'
28 - OriginalFileName: 'wmic.exe'
29 selection_cli:
30 - CommandLine|contains:
31 - ' volumename'
32 - ' logicaldisk'
33 - CommandLine|contains|all:
34 - 'path'
35 - 'win32_logicaldisk'
36 - CommandLine|contains|all:
37 - ' volume'
38 - ' list '
39 condition: all of selection_*
40falsepositives:
41 - Unknown
42level: medium
43regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_volume/info.yml
References
Related rules
- Potential Product Class Reconnaissance Via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Potential Process Reconnaissance via Wmic.EXE
- Registry Enumeration via WMI Stdregprov
- HackTool - WinPwn Execution