sigmamediumHunting

Computer System Reconnaissance Via Wmic.EXE

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

MITRE ATT&CK

T1047

discoveryexecution

Detection Query

selection_img:
  - Image|endswith: \wmic.exe
  - OriginalFileName: wmic.exe
selection_cli:
  CommandLine|contains: computersystem
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-09-08

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Tags

attack.discoveryattack.executionattack.t1047

Raw Content

title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: test
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-08
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'computersystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium