heroui logo

Process Reconnaissance Via Wmic.EXE

Sigma Rules

View Source
Summary
This detection rule identifies the execution of the Windows Management Instrumentation Command-line (WMIC) utility with the 'process' argument, which is commonly used by attackers to perform reconnaissance on a compromised system. By using WMIC with the 'process' flag, adversaries can enumerate running processes or installed software patches, which can reveal vulnerable services, active applications, or system configurations that could be exploited. The rule monitors the process creation event for execution of 'wmic.exe' and checks for the specific command line that includes the term 'process'. It asserts that all specified selections must match while ensuring that specific filters are not present, reducing the likelihood of false positives. Given its capability to identify potential malicious behavior, this rule contributes significantly to enhancing the security posture of Windows environments.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1047
Created: 2022-01-01