Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
Domain user and group enumeration via network reconnaissance.
Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.
The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29