Suspicious PowerShell Reconnaissance via WMI Queries

This brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like Win32_Bios, Win32_OperatingSystem, Win32_Processor and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.

Attack Chain

1. An attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
2. The attacker executes a PowerShell script, either directly or via a command-line interpreter like cmd.exe.
3. The PowerShell script uses the Get-WmiObject cmdlet or a direct WMI query with SELECT to query system information.
4. Specific WMI classes are targeted, including Win32_Bios, Win32_OperatingSystem, Win32_Processor, Win32_ComputerSystem, Win32_PnPEntity, Win32_ShadowCopy, Win32_DiskDrive, Win32_PhysicalMemory, Win32_BaseBoard, and Win32_DisplayConfiguration.
5. The script collects the data returned by the WMI queries.
6. The gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.
7. The attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.
8. The attacker executes further commands based on the gathered information.

Impact

Successful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.

Recommendation

• Enable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (PowerShell Script Block Logging 4104).
• Deploy the Sigma rule Detect Suspicious WMI Reconnaissance via PowerShell to identify PowerShell scripts querying sensitive WMI classes.
• Investigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.
• Review and tune the Recon Using WMI Class detection filter (recon_using_wmi_class_filter) to reduce false positives in your environment.