System Information Discovery Via Wmic.EXE

    Monday, August 19, 2024 In: Threat Research Print

    Date: 08/19/2024

    Severity: Medium

    Summary

    "System Information Discovery Via Wmic.EXE" involves using the Windows Management Instrumentation Command-line (WMIC) tool to gather detailed system information on a computer. WMIC allows users to query and retrieve data about system hardware, software, and configurations, such as operating system version, installed applications, and hardware components. This method is often used in administrative tasks or security assessments to collect system information in a structured and automated manner.

    Indicators of Compromise (IOC) List

    Description

    'WMI Commandline Utility'

    OriginalFileName

    'wmic.exe'

    Image

    '\WMIC.exe'

    CommandLine

    'get'

    'baseboard'

    'bios'

    'cpu'

    'diskdrive'

    'logicaldisk'

    'memphysical'

    'os'

    'path'

    'startup'

    'win32_videocontroller'

    'caption'

    'command'

    'driverversion'

    'maxcapacity'

    'name'

    'osarchitecture'

    'product'

    'size'

    'smbiosbiosversion'

    'version'

    'videomodedescription'

    ParentCommandLine

    '\VMware\VMware Tools\serviceDiscovery\scripts\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((((ResourceName = "Sysmon" AND eventtype = "1") AND description = "WMI Commandline Utility") AND originalfilename = "wmic.exe") AND image = "\WMIC.exe") AND commandline in ("get","baseboard","bios","cpu","diskdrive","logicaldisk","memphysical","os","path","startup","win32_videocontroller","caption","command","driverversion","maxcapacity","name","osarchitecture","product","size","smbiosbiosversion","version","videomodedescription")) AND parentcommandline in ("\\VMware\\VMware Tools\\serviceDiscovery\\scripts")

    Detection Query 2

    (((((Technologygroup = "EDR" ) AND description = "WMI Commandline Utility") AND originalfilename = "wmic.exe") AND image = "\WMIC.exe") AND commandline in ("get","baseboard","bios","cpu","diskdrive","logicaldisk","memphysical","os","path","startup","win32_videocontroller","caption","command","driverversion","maxcapacity","name","osarchitecture","product","size","smbiosbiosversion","version","videomodedescription")) AND parentcommandline in ("\\VMware\\VMware Tools\\serviceDiscovery\\scripts")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.