
Summary
This detection rule identifies the execution of the Windows Management Instrumentation Command-line (wmic) tool when used with the 'group' flag, which is indicative of a reconnaissance activity. Adversaries may leverage this command to enumerate local groups and their associated permissions on a Windows machine. By gaining insight into local system groups, attackers can ascertain important security information, such as which accounts have elevated privileges, particularly those within the local administrators group. This information can be critical for planning further attacks, including privilege escalation. The detection is achieved through monitoring process creation events with specific criteria that determine when the wmic.exe process is run with the 'group' argument. If this command is executed, it warrants further investigation due to its potential use in preparatory steps for attacks on privileged accounts.
Categories
- Windows
- Endpoint
- On-Premise
Data Sources
- Process
- Command
ATT&CK Techniques
- T1069.001
Created: 2021-12-12