Threat Huntlowtest
System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic5 selectors
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_get:
CommandLine|contains: 'get'
selection_classes:
CommandLine|contains:
- 'baseboard'
- 'bios'
- 'cpu'
- 'diskdrive'
- 'logicaldisk'
- 'memphysical'
- 'os'
- 'path'
- 'startup'
- 'win32_videocontroller'
selection_attributes:
CommandLine|contains:
- 'caption'
- 'command'
- 'driverversion'
- 'maxcapacity'
- 'name'
- 'osarchitecture'
- 'product'
- 'size'
- 'smbiosbiosversion'
- 'version'
- 'videomodedescription'
filter_optional_vmtools:
ParentCommandLine|contains: '\VMware\VMware Tools\serviceDiscovery\scripts\'
condition: all of selection_* and not 1 of filter_optional_*False Positives
VMWare Tools serviceDiscovery scripts
MITRE ATT&CK
Tactics
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
d85ecdd7-b855-4e6e-af59-d9c78b5b861e
Status
test
Level
low
Type
Threat Hunt
Created
Tue Dec 19
Modified
Mon Jan 15
Author
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml
Raw Tags
attack.discoveryattack.t1082detection.threat-hunting