EXPLORE
← Back to Explore
sigmamediumHunting

Potential Process Reconnaissance via Wmic.EXE

Detects the execution of "wmic" with the "process" flag, which might indicate an attempt to perform reconnaissance on running processes. Adversaries may use wmic to query for running processes and their details as part of their reconnaissance efforts.

MITRE ATT&CK

executiondiscovery

Detection Query

selection_img:
  - Image|endswith: \WMIC.exe
  - OriginalFileName: wmic.exe
selection_cli:
  CommandLine|contains: process
filter_main_creation:
  CommandLine|contains|all:
    - call
    - create
filter_main_terminate:
  CommandLine|contains|all:
    - call
    - terminate
condition: all of selection* and not 1 of filter_main_*

Author

frack113

Created

2022-01-01

Data Sources

windowsProcess Creation Events

Platforms

windows

Tags

attack.executionattack.t1047attack.discoveryattack.t1057
Raw Content
title: Potential Process Reconnaissance via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: test
description: |
    Detects the execution of "wmic" with the "process" flag, which might indicate an attempt to perform reconnaissance on running processes.
    Adversaries may use wmic to query for running processes and their details as part of their reconnaissance efforts.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022-01-01
modified: 2025-12-15
tags:
    - attack.execution
    - attack.t1047
    - attack.discovery
    - attack.t1057
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'process'
    filter_main_creation:
        CommandLine|contains|all:
            # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
            - 'call'
            - 'create'
    filter_main_terminate:
        CommandLine|contains|all:
            # Rule id 49d9671b-0a0a-4c09-8280-d215bfd30662 for `wmic path win32_process where processid=#{processid_to_terminate} call terminate`
            - 'call'
            - 'terminate'
    condition: all of selection* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
simulation:
    - type: atomic-red-team
      name: WMI Reconnaissance Processes
      technique: T1047
      atomic_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_process/info.yml