Detection of WMIC System Information Discovery
Adversaries may use Windows Management Instrumentation Command-line (WMIC) to gather system information, specifically using the `computersystem` alias to retrieve details about the system's configuration, which aids in reconnaissance.
This analytic detects the use of the Windows Management Instrumentation Command-line (WMIC) utility to gather detailed system information. Specifically, it focuses on the use of commands like wmic computersystem which are used to retrieve the computer's model, manufacturer, name, domain, and other system attributes. While legitimate administrators use these commands for inventory and troubleshooting, adversaries may use them to gain insight into the target environment during the reconnaissance phase of an attack. Identifying unauthorized use of WMIC for system queries can help security teams detect and mitigate potential threats early in the attack lifecycle. The detection focuses on process execution data from Sysmon, Windows Event Logs, and EDR solutions. This activity has been associated with multiple threat actors, including those using tools like LAMEHUG, BlankGrabber Stealer, and Lotus Blossom Chrysalis Backdoor.
Attack Chain
- The attacker gains initial access to the system (e.g., through compromised credentials or exploitation).
- The attacker executes
wmic.exevia command line or script. - The
wmic.exeprocess calls thecomputersystemalias. - The
computersystemalias retrieves system information, including manufacturer, model, and domain. - The attacker parses the output of the WMIC command to gather relevant details.
- The attacker uses this information to map the environment and plan further actions.
- The attacker may use collected data for lateral movement by identifying domain controllers or other high-value targets.
- The attacker continues the attack lifecycle, possibly leading to data exfiltration, ransomware deployment, or other malicious activities.
Impact
A successful reconnaissance phase allows the attacker to gain a comprehensive understanding of the target environment. This can lead to more effective lateral movement, privilege escalation, and ultimately, the achievement of the attacker's objectives, such as data theft, system compromise, or disruption of services. Without detection, attackers can operate with impunity, significantly increasing the risk of a major security breach. The specific impact depends on the attacker's goals and the nature of the compromised systems.
Recommendation
- Monitor process creation events for
wmic.exeexecuting with arguments related to system information retrieval, as detected by the ruleWindows WMIC Systeminfo Discovery. - Implement the Sigma rules provided to detect suspicious
wmic.execommand-line activity within your SIEM. - Tune the provided Sigma rules for your environment by filtering out known legitimate uses of
wmic.exebased on parent processes or user accounts, as mentioned inknown_false_positives. - Investigate any alerts generated by these rules to determine the legitimacy of the activity and take appropriate remediation steps.
- Enable Sysmon EventID 1 or Windows Event Log Security 4688 logging to capture the necessary process creation events for the detection to function.
Detection coverage 2
WMIC Computersystem Execution
mediumDetects the execution of WMIC with the 'computersystem' alias, which is commonly used for system discovery.
WMIC Computersystem with Suspicious Parent Process
highDetects WMIC computersystem being executed by a non-standard parent process.
Detection queries are available on the platform. Get full rules →