WMIC Remote Command Execution
Detects the execution of WMIC to query information on a remote system
Sigma rule (View on GitHub)
1title: WMIC Remote Command Execution
2id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00
3related:
4 - id: e42af9df-d90b-4306-b7fb-05c863847ebd
5 type: obsoletes
6 - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
7 type: obsoletes
8status: test
9description: Detects the execution of WMIC to query information on a remote system
10references:
11 - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
12 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
13author: frack113, Nasreddine Bencherchali (Nextron Systems)
14date: 2023/02/14
15tags:
16 - attack.execution
17 - attack.t1047
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\WMIC.exe'
24 - OriginalFileName: 'wmic.exe'
25 selection_cli:
26 CommandLine|contains: '/node:'
27 filter_localhost:
28 CommandLine|contains:
29 - '/node:127.0.0.1 '
30 - '/node:localhost '
31 condition: all of selection_* and not 1 of filter_*
32falsepositives:
33 - Unknown
34level: medium
References
-
At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.
Read More
Related rules
- Application Removed Via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- Potential Product Reconnaissance Via Wmic.EXE