Detection rules › Sigma
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1047 Windows Management Instrumentation |
| Discovery | T1082 System Information Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\wmic.exe'
OriginalFileName: wmic.exe
Stage 2: all of selection_cli
or:
CommandLine|contains: AntiSpywareProduct
CommandLine|contains: AntiVirusProduct
CommandLine|contains: FirewallProduct
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|