WMIC Remote Command Execution

calendar Nov 10, 2025 · attack.execution attack.t1047  ·
Share on: linkedin copy

Detects the execution of WMIC to query information on a remote system

Sigma rule (View on GitHub)

 1title: WMIC Remote Command Execution
 2id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00
 3related:
 4    - id: e42af9df-d90b-4306-b7fb-05c863847ebd
 5      type: obsolete
 6    - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
 7      type: obsolete
 8status: test
 9description: Detects the execution of WMIC to query information on a remote system
10references:
11    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
12    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
13author: frack113, Nasreddine Bencherchali (Nextron Systems)
14date: 2023-02-14
15modified: 2025-10-22
16tags:
17    - attack.execution
18    - attack.t1047
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\WMIC.exe'
25        - OriginalFileName: 'wmic.exe'
26    selection_cli:
27        CommandLine|contains|windash: '/node:'
28    filter_main_localhost:
29        CommandLine|contains:
30            - 'localhost'
31            - '127.0.0.1'
32    condition: all of selection_* and not 1 of filter_main_*
33falsepositives:
34    - Unknown
35level: medium

References

  • MoonBounce: the dark side of UEFI firmware

    At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.


    Read More

  • wmic

    Reference article for wmic, which displays WMI information inside an interactive command shell.


    Read More

Related rules

to-top