Skip to content
Threat Feed
medium advisory

Detection of WMIC System Information Discovery

Adversaries may use Windows Management Instrumentation Command-line (WMIC) to gather system information, specifically using the `computersystem` alias to retrieve details about the system's configuration, which aids in reconnaissance.

This analytic detects the use of the Windows Management Instrumentation Command-line (WMIC) utility to gather detailed system information. Specifically, it focuses on the use of commands like wmic computersystem which are used to retrieve the computer's model, manufacturer, name, domain, and other system attributes. While legitimate administrators use these commands for inventory and troubleshooting, adversaries may use them to gain insight into the target environment during the reconnaissance phase of an attack. Identifying unauthorized use of WMIC for system queries can help security teams detect and mitigate potential threats early in the attack lifecycle. The detection focuses on process execution data from Sysmon, Windows Event Logs, and EDR solutions. This activity has been associated with multiple threat actors, including those using tools like LAMEHUG, BlankGrabber Stealer, and Lotus Blossom Chrysalis Backdoor.

Attack Chain

  1. The attacker gains initial access to the system (e.g., through compromised credentials or exploitation).
  2. The attacker executes wmic.exe via command line or script.
  3. The wmic.exe process calls the computersystem alias.
  4. The computersystem alias retrieves system information, including manufacturer, model, and domain.
  5. The attacker parses the output of the WMIC command to gather relevant details.
  6. The attacker uses this information to map the environment and plan further actions.
  7. The attacker may use collected data for lateral movement by identifying domain controllers or other high-value targets.
  8. The attacker continues the attack lifecycle, possibly leading to data exfiltration, ransomware deployment, or other malicious activities.

Impact

A successful reconnaissance phase allows the attacker to gain a comprehensive understanding of the target environment. This can lead to more effective lateral movement, privilege escalation, and ultimately, the achievement of the attacker's objectives, such as data theft, system compromise, or disruption of services. Without detection, attackers can operate with impunity, significantly increasing the risk of a major security breach. The specific impact depends on the attacker's goals and the nature of the compromised systems.

Recommendation

  • Monitor process creation events for wmic.exe executing with arguments related to system information retrieval, as detected by the rule Windows WMIC Systeminfo Discovery.
  • Implement the Sigma rules provided to detect suspicious wmic.exe command-line activity within your SIEM.
  • Tune the provided Sigma rules for your environment by filtering out known legitimate uses of wmic.exe based on parent processes or user accounts, as mentioned in known_false_positives.
  • Investigate any alerts generated by these rules to determine the legitimacy of the activity and take appropriate remediation steps.
  • Enable Sysmon EventID 1 or Windows Event Log Security 4688 logging to capture the necessary process creation events for the detection to function.

Detection coverage 2

WMIC Computersystem Execution

medium

Detects the execution of WMIC with the 'computersystem' alias, which is commonly used for system discovery.

sigma tactics: discovery techniques: T1082 sources: process_creation, windows

WMIC Computersystem with Suspicious Parent Process

high

Detects WMIC computersystem being executed by a non-standard parent process.

sigma tactics: discovery techniques: T1082 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →