Skip to content
Threat Feed
medium advisory

Detecting WMIC Systeminfo Discovery Activity

This brief covers detection of adversaries using Windows Management Instrumentation Command-line (WMIC) to gather system information, specifically the `computersystem` class, a technique used for reconnaissance.

This brief focuses on detecting the use of Windows Management Instrumentation Command-line (WMIC) for system information discovery. Adversaries may use WMIC commands, particularly targeting the computersystem class, to gather details about a system's model, manufacturer, domain, and other attributes. This information is valuable for reconnaissance, allowing attackers to understand the target environment and plan further actions. While WMIC is a legitimate tool often used by administrators, its use by non-administrative accounts or in unusual contexts can indicate malicious activity. This activity is associated with threat actors like LAMEHUG and in scenarios involving the Lotus Blossom Chrysalis Backdoor, indicating a potential link to broader attack campaigns. Monitoring for this behavior can help defenders identify unauthorized reconnaissance and mitigate potential threats.

Attack Chain

  1. Initial Access: An attacker gains initial access to a Windows system (potentially through phishing or exploiting a vulnerability).
  2. Execution: The attacker executes the wmic command-line tool.
  3. Discovery: The attacker specifically queries the computersystem class using wmic computersystem to gather system information.
  4. Data Collection: The wmic command retrieves details such as the computer's model, manufacturer, name, domain, and OS version.
  5. Staging: The gathered information is stored locally or in a temporary location.
  6. Exfiltration (Potential): The attacker may attempt to exfiltrate the collected system information to a remote server for analysis and planning of subsequent attack phases.
  7. Lateral Movement (Potential): Using the gathered information, the attacker identifies potential targets for lateral movement within the network.

Impact

Successful exploitation of this technique allows attackers to gain a comprehensive understanding of the target system's configuration. This knowledge can be used to identify vulnerabilities, plan lateral movement, and ultimately achieve their objectives, such as data theft, system compromise, or ransomware deployment. This reconnaissance activity is a crucial early stage in many attacks, and detecting it can disrupt the attack chain before significant damage occurs.

Recommendation

  • Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (4688) to capture command-line arguments for wmic.exe executions, enabling the detection rules below.
  • Deploy the Sigma rules provided to your SIEM to detect suspicious wmic computersystem executions. Tune the rules based on your environment to minimize false positives.
  • Investigate any alerts generated by these rules, focusing on the user account, parent process, and the context of the wmic execution.
  • Review historical process execution logs for unusual wmic activity, particularly from non-administrative accounts.

Detection coverage 2

Detect WMIC computersystem Execution

medium

Detects the execution of `wmic computersystem` command to gather system information.

sigma tactics: discovery techniques: T1082 sources: process_creation, windows

Detect WMIC computersystem Execution from Uncommon Parent Process

medium

Detects the execution of `wmic computersystem` command from unusual parent processes.

sigma tactics: discovery techniques: T1082 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →