<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>APT35 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/apt35/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 14:45:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/apt35/feed.xml" rel="self" type="application/rss+xml"/><item><title>Computer System Reconnaissance Via Wmic.EXE</title><link>https://feed.craftedsignal.io/briefs/2026-07-wmic-recon-computersystem/</link><pubDate>Fri, 03 Jul 2026 14:45:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wmic-recon-computersystem/</guid><description>This brief details the use of `wmic.exe` with the `computersystem` flag for reconnaissance, a technique observed in campaigns by adversaries such as DEV-0270 (Phosphorus), to gather system information like domain, username, and model.</description><content:encoded><![CDATA[<p>Adversaries, notably groups like DEV-0270 (also known as Phosphorus), leverage the native Windows Management Instrumentation Command-line (WMIC) utility for system reconnaissance. This technique involves executing <code>wmic.exe</code> with the <code>computersystem</code> flag to query for detailed machine information. This activity, observed since at least late 2022, serves as a crucial precursor to subsequent attack stages in ransomware operations. By gathering data such as domain membership, current username, system model, and operating system details, attackers can tailor their approach for privilege escalation, lateral movement, or targeted data exfiltration. The use of a legitimate system binary makes this activity harder to detect without specific command-line logging and careful analysis.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance Command Execution</strong>: An attacker executes <code>wmic.exe</code> with the <code>computersystem</code> class to enumerate system properties.</li>
<li><strong>Information Gathering</strong>: The command <code>wmic computersystem get</code> or similar is run to extract details such as the computer's domain, username, manufacturer, model, and OS version.</li>
<li><strong>Data Collection</strong>: The collected system information is often stored temporarily on the compromised host or directly transmitted to the attacker's command and control (C2) infrastructure.</li>
<li><strong>Decision Making</strong>: Based on the gathered information, the adversary makes decisions regarding the next steps in their campaign, such as identifying targets for lateral movement or specific privilege escalation techniques.</li>
<li><strong>Preparation for Exploitation</strong>: The reconnaissance data informs the deployment of additional tools or the exploitation of specific vulnerabilities relevant to the discovered system configuration.</li>
<li><strong>Further Attack Phases</strong>: The adversary proceeds with privilege escalation, lateral movement, data exfiltration, or the deployment of payloads like ransomware, as observed in DEV-0270 operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The direct impact of <code>wmic.exe</code> reconnaissance is information disclosure, which itself is low-risk. However, as demonstrated by ransomware operators like DEV-0270 (Phosphorus), this type of reconnaissance is a foundational step enabling more severe impacts. Successful information gathering allows attackers to tailor highly effective follow-on attacks, such as deploying ransomware, exfiltrating sensitive data, or causing significant operational disruption. Without detecting and mitigating these initial reconnaissance activities, organizations face a heightened risk of full system compromise, data breaches, and financial losses due to ransomware demands and recovery efforts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;Computer System Reconnaissance Via Wmic.EXE&quot; Sigma rule to your SIEM to detect suspicious <code>wmic.exe</code> usage.</li>
<li>Ensure Sysmon (Event ID 1) or equivalent process creation logging is enabled for all Windows endpoints to capture command-line arguments for <code>wmic.exe</code>.</li>
<li>Tune the &quot;Computer System Reconnaissance Via Wmic.EXE&quot; rule to establish a baseline of legitimate <code>wmic</code> usage in your environment and minimize false positives.</li>
<li>Monitor for other forms of system information discovery, as attackers often combine various reconnaissance techniques.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">threat</category><category>discovery</category><category>reconnaissance</category><category>windows</category><category>ransomware</category></item></channel></rss>