Detectionmediumtest
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)Created Tue Feb 14Updated Mon Mar 17e568650b-5dcd-4658-8f34-ded0b1e13992windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*False Positives
Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
MITRE ATT&CK
Rule Metadata
Rule ID
e568650b-5dcd-4658-8f34-ded0b1e13992
Status
test
Level
medium
Type
Detection
Created
Tue Feb 14
Modified
Mon Mar 17
Author
Path
rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml
Raw Tags
attack.executionattack.t1047attack.discoveryattack.t1082