Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Local Groups Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Dec 12Updated Tue Feb 14164eda96-11b2-430b-85ff-6a265c15bf32windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: ' group'
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
164eda96-11b2-430b-85ff-6a265c15bf32
Status
test
Level
low
Type
Detection
Created
Sun Dec 12
Modified
Tue Feb 14
Author
François Hubaut
Path
rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml
Raw Tags
attack.discoveryattack.t1069.001
View on GitHub