Skip to content
Threat Feed
medium advisory

Windows WMI Reconnaissance Activity Detection

Detection of Windows Management Instrumentation Command-line (WMIC) usage for reconnaissance by querying common Win32 WMI classes for system information, potentially indicating post-exploitation activity.

This brief focuses on the detection of suspicious Windows Management Instrumentation Command-line (WMIC) activity used for reconnaissance purposes. Attackers commonly use WMIC post-exploitation to gather system information, fingerprint hosts, assess virtualization environments, and tailor further malicious actions. This activity often involves querying specific Win32 WMI classes such as Win32_OperatingSystem, Win32_Processor, Win32_DiskDrive, Win32_PhysicalMemory, csproduct, and others. While WMIC has legitimate uses for system administration, unusual execution patterns, especially from non-administrative users or unexpected parent processes, can signal malicious reconnaissance, aligning with system discovery techniques (T1047). The analytic is designed to detect such anomalies. The detection logic looks for specific WMIC queries launched from unusual parent processes like cmd.exe or powershell.exe.

Attack Chain

  1. Initial Access: The attacker gains initial access to the system through an unspecified method (e.g., exploiting a vulnerability, phishing, or compromised credentials).
  2. Privilege Escalation (if necessary): The attacker escalates privileges to gain sufficient access to execute WMIC commands effectively.
  3. Command Execution: The attacker executes wmic.exe with specific class queries to gather system information. Common classes include Win32_OperatingSystem, Win32_Processor, Win32_DiskDrive, and Win32_PhysicalMemory.
  4. Data Collection: The WMIC queries enumerate hardware details, operating system information, and system configuration data.
  5. Data Staging: The collected data is staged for exfiltration or used to tailor subsequent actions within the compromised environment.
  6. Lateral Movement (optional): The attacker uses the gathered information to move laterally to other systems within the network.
  7. Objective: The ultimate objective could be data theft, ransomware deployment, or other malicious activities.

Impact

Successful reconnaissance through WMIC allows attackers to gain detailed insights into the compromised system. This information can be used to tailor further attacks, such as identifying valuable data, detecting security controls, or moving laterally to other systems. If successful, attackers can achieve their final objectives, such as data exfiltration, ransomware deployment, or disruption of services. The scope of impact is highly variable depending on the organization targeted and the data accessed.

Recommendation

  • Deploy the Sigma rule "Detect Suspicious WMI Reconnaissance Activity" to your SIEM to identify potentially malicious WMIC usage based on queried classes and unusual parent processes.
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the user, process, and destination involved in the suspicious WMIC activity.
  • Monitor process execution logs (Sysmon EventID 1 or Windows Event Log Security 4688) for command-line arguments matching the targeted WMI classes outlined in the rule description.
  • Review parent processes of WMIC executions. Investigate any executions originating from unusual or unexpected parent processes.
  • Implement strict process whitelisting to prevent unauthorized execution of wmic.exe, particularly from non-administrative users.

Detection coverage 2

Detect Suspicious WMI Reconnaissance Activity

medium

Detects suspicious WMIC commands querying common Win32 WMI classes for reconnaissance purposes from unusual parent processes.

sigma tactics: discovery techniques: T1047 sources: process_creation, windows

WMIC Reconnaissance from PowerShell

medium

Detects WMIC usage from powershell to query system information.

sigma tactics: discovery techniques: T1047 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →