← Back to Explore
sigmalowHunting
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Detection Query
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains: " group"
condition: all of selection*
Author
frack113
Created
2021-12-12
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.discoveryattack.t1069.001
Raw Content
title: Local Groups Reconnaissance Via Wmic.EXE
id: 164eda96-11b2-430b-85ff-6a265c15bf32
status: test
description: |
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: ' group'
condition: all of selection*
falsepositives:
- Unknown
level: low