Detecting WMIC Systeminfo Discovery Activity
This brief covers detection of adversaries using Windows Management Instrumentation Command-line (WMIC) to gather system information, specifically the `computersystem` class, a technique used for reconnaissance.
This brief focuses on detecting the use of Windows Management Instrumentation Command-line (WMIC) for system information discovery. Adversaries may use WMIC commands, particularly targeting the computersystem class, to gather details about a system's model, manufacturer, domain, and other attributes. This information is valuable for reconnaissance, allowing attackers to understand the target environment and plan further actions. While WMIC is a legitimate tool often used by administrators, its use by non-administrative accounts or in unusual contexts can indicate malicious activity. This activity is associated with threat actors like LAMEHUG and in scenarios involving the Lotus Blossom Chrysalis Backdoor, indicating a potential link to broader attack campaigns. Monitoring for this behavior can help defenders identify unauthorized reconnaissance and mitigate potential threats.
Attack Chain
- Initial Access: An attacker gains initial access to a Windows system (potentially through phishing or exploiting a vulnerability).
- Execution: The attacker executes the
wmiccommand-line tool. - Discovery: The attacker specifically queries the
computersystemclass usingwmic computersystemto gather system information. - Data Collection: The
wmiccommand retrieves details such as the computer's model, manufacturer, name, domain, and OS version. - Staging: The gathered information is stored locally or in a temporary location.
- Exfiltration (Potential): The attacker may attempt to exfiltrate the collected system information to a remote server for analysis and planning of subsequent attack phases.
- Lateral Movement (Potential): Using the gathered information, the attacker identifies potential targets for lateral movement within the network.
Impact
Successful exploitation of this technique allows attackers to gain a comprehensive understanding of the target system's configuration. This knowledge can be used to identify vulnerabilities, plan lateral movement, and ultimately achieve their objectives, such as data theft, system compromise, or ransomware deployment. This reconnaissance activity is a crucial early stage in many attacks, and detecting it can disrupt the attack chain before significant damage occurs.
Recommendation
- Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (4688) to capture command-line arguments for
wmic.exeexecutions, enabling the detection rules below. - Deploy the Sigma rules provided to your SIEM to detect suspicious
wmic computersystemexecutions. Tune the rules based on your environment to minimize false positives. - Investigate any alerts generated by these rules, focusing on the user account, parent process, and the context of the
wmicexecution. - Review historical process execution logs for unusual
wmicactivity, particularly from non-administrative accounts.
Detection coverage 2
Detect WMIC computersystem Execution
mediumDetects the execution of `wmic computersystem` command to gather system information.
Detect WMIC computersystem Execution from Uncommon Parent Process
mediumDetects the execution of `wmic computersystem` command from unusual parent processes.
Detection queries are available on the platform. Get full rules →