{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/ta453/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["DEV-0270","APT35","Charming Kitten","TA453","Mint Sandstorm","Phosphorus"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","reconnaissance","windows","ransomware"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdversaries, notably groups like DEV-0270 (also known as Phosphorus), leverage the native Windows Management Instrumentation Command-line (WMIC) utility for system reconnaissance. This technique involves executing \u003ccode\u003ewmic.exe\u003c/code\u003e with the \u003ccode\u003ecomputersystem\u003c/code\u003e flag to query for detailed machine information. This activity, observed since at least late 2022, serves as a crucial precursor to subsequent attack stages in ransomware operations. By gathering data such as domain membership, current username, system model, and operating system details, attackers can tailor their approach for privilege escalation, lateral movement, or targeted data exfiltration. The use of a legitimate system binary makes this activity harder to detect without specific command-line logging and careful analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance Command Execution\u003c/strong\u003e: An attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with the \u003ccode\u003ecomputersystem\u003c/code\u003e class to enumerate system properties.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Gathering\u003c/strong\u003e: The command \u003ccode\u003ewmic computersystem get\u003c/code\u003e or similar is run to extract details such as the computer's domain, username, manufacturer, model, and OS version.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection\u003c/strong\u003e: The collected system information is often stored temporarily on the compromised host or directly transmitted to the attacker's command and control (C2) infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDecision Making\u003c/strong\u003e: Based on the gathered information, the adversary makes decisions regarding the next steps in their campaign, such as identifying targets for lateral movement or specific privilege escalation techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePreparation for Exploitation\u003c/strong\u003e: The reconnaissance data informs the deployment of additional tools or the exploitation of specific vulnerabilities relevant to the discovered system configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Attack Phases\u003c/strong\u003e: The adversary proceeds with privilege escalation, lateral movement, data exfiltration, or the deployment of payloads like ransomware, as observed in DEV-0270 operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe direct impact of \u003ccode\u003ewmic.exe\u003c/code\u003e reconnaissance is information disclosure, which itself is low-risk. However, as demonstrated by ransomware operators like DEV-0270 (Phosphorus), this type of reconnaissance is a foundational step enabling more severe impacts. Successful information gathering allows attackers to tailor highly effective follow-on attacks, such as deploying ransomware, exfiltrating sensitive data, or causing significant operational disruption. Without detecting and mitigating these initial reconnaissance activities, organizations face a heightened risk of full system compromise, data breaches, and financial losses due to ransomware demands and recovery efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Computer System Reconnaissance Via Wmic.EXE\u0026quot; Sigma rule to your SIEM to detect suspicious \u003ccode\u003ewmic.exe\u003c/code\u003e usage.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon (Event ID 1) or equivalent process creation logging is enabled for all Windows endpoints to capture command-line arguments for \u003ccode\u003ewmic.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eTune the \u0026quot;Computer System Reconnaissance Via Wmic.EXE\u0026quot; rule to establish a baseline of legitimate \u003ccode\u003ewmic\u003c/code\u003e usage in your environment and minimize false positives.\u003c/li\u003e\n\u003cli\u003eMonitor for other forms of system information discovery, as attackers often combine various reconnaissance techniques.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:45:54Z","date_published":"2026-07-03T14:45:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wmic-recon-computersystem/","summary":"This brief details the use of `wmic.exe` with the `computersystem` flag for reconnaissance, a technique observed in campaigns by adversaries such as DEV-0270 (Phosphorus), to gather system information like domain, username, and model.","title":"Computer System Reconnaissance Via Wmic.EXE","url":"https://feed.craftedsignal.io/briefs/2026-07-wmic-recon-computersystem/"}],"language":"en","title":"CraftedSignal Threat Feed - TA453","version":"https://jsonfeed.org/version/1.1"}