WMIC Remote Command Execution

Aug 12, 2024 · attack.execution attack.t1047 ·

Detects the execution of WMIC to query information on a remote system

Sigma rule (View on GitHub)

 1title: WMIC Remote Command Execution
 2id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00
 3related:
 4    - id: e42af9df-d90b-4306-b7fb-05c863847ebd
 5      type: obsolete
 6    - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
 7      type: obsolete
 8status: test
 9description: Detects the execution of WMIC to query information on a remote system
10references:
11    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
12    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
13author: frack113, Nasreddine Bencherchali (Nextron Systems)
14date: 2023-02-14
15tags:
16    - attack.execution
17    - attack.t1047
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\WMIC.exe'
24        - OriginalFileName: 'wmic.exe'
25    selection_cli:
26        CommandLine|contains: '/node:'
27    filter_localhost:
28        CommandLine|contains:
29            - '/node:127.0.0.1 '
30            - '/node:localhost '
31    condition: all of selection_* and not 1 of filter_*
32falsepositives:
33    - Unknown
34level: medium

References

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Read More
wmic

Reference article for wmic, which displays WMI information inside an interactive command shell.

Read More

WMIC Remote Command Execution

Sigma rule (View on GitHub)

References

MoonBounce: the dark side of UEFI firmware

wmic

Related rules