← Back to Explore
sigmamediumHunting
Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Detection Query
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains: process
filter_main_creation:
CommandLine|contains|all:
- call
- create
condition: all of selection* and not 1 of filter_*
Author
frack113
Created
2022-01-01
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1047
Raw Content
title: Process Reconnaissance Via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: test
description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022-01-01
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'process'
filter_main_creation:
CommandLine|contains|all:
# Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
- 'call'
- 'create'
condition: all of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: medium