← Back to Explore
sigmamediumHunting
Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Detection Query
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains: Product
filter_main_call_operations:
CommandLine|contains:
- " uninstall"
- " install"
condition: all of selection_* and not 1 of filter_main_*
Author
Nasreddine Bencherchali
Created
2023-02-14
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1047
Raw Content
title: Potential Product Reconnaissance Via Wmic.EXE
id: 15434e33-5027-4914-88d5-3d4145ec25a9
status: test
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
references:
- https://thedfirreport.com/2023/03/06/2022-year-in-review/
- https://www.yeahhub.com/list-installed-programs-version-path-windows/
- https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
author: Nasreddine Bencherchali
date: 2023-02-14
modified: 2025-10-22
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'Product'
filter_main_call_operations:
# wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
CommandLine|contains:
- ' uninstall'
- ' install'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium