← Back to Explore
sigmamediumHunting
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Detection Query
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains: csproduct
condition: all of selection_*
Author
Florian Roth (Nextron Systems)
Created
2023-02-14
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1047car.2016-03-002
Raw Content
title: Hardware Model Reconnaissance Via Wmic.EXE
id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
status: test
description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
references:
- https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
- https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
author: Florian Roth (Nextron Systems)
date: 2023-02-14
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'csproduct'
condition: all of selection_*
falsepositives:
- Unknown
level: medium