Detect Local Groups Reconnaissance Using WMIC
Adversaries utilize the legitimate Windows Management Instrumentation Command-line (WMIC) tool, specifically `wmic.exe group`, to perform reconnaissance on local system groups and identify users with elevated permissions on targeted Windows systems.
This brief details the use of wmic.exe for local group reconnaissance, a technique commonly employed by adversaries as part of their discovery phase. While wmic.exe is a legitimate Windows utility for system administration, its use with the "group" flag allows attackers to enumerate local system groups and their members. This activity typically aims to identify privileged accounts, such as local administrators, to facilitate privilege escalation or lateral movement within a compromised environment. The detection focuses on identifying this specific command-line execution pattern, providing security teams with visibility into potential reconnaissance attempts. This is a general technique detection rather than a specific campaign, but provides crucial early warning indicators for further adversary activity.
Attack Chain
As this brief focuses on a specific discovery technique rather than a complete attack campaign, a full attack chain cannot be provided. However, the use of wmic.exe group typically occurs after initial access has been established.
- Initial Access: Adversary gains initial foothold on a Windows system (e.g., via phishing, exploit, RDP brute-force).
- Execution: Adversary executes
wmic.exevia command line or script. - Discovery:
wmic.exe groupis run to query local user groups. - Information Gathering: Attacker gathers information on group memberships, focusing on privileged groups like "Administrators".
- Target Identification: Attacker identifies potential accounts for privilege escalation or lateral movement.
- Next Stage: Attacker proceeds with further actions based on discovered information (e.g., credential dumping, lateral movement, privilege escalation).
Impact
While the direct impact of local group reconnaissance using wmic.exe is limited to information disclosure, successful execution of this technique significantly aids adversaries in achieving their primary objectives. By identifying privileged accounts, attackers can more efficiently plan their privilege escalation and lateral movement strategies. The successful identification of administrator accounts can lead to full system compromise, data exfiltration, deployment of ransomware, or establishment of persistent access across the network. Without detection, this seemingly benign activity can lay the groundwork for severe and widespread damage.
Recommendation
- Deploy the Sigma rule in this brief to your SIEM and tune for your environment.
- Enable Sysmon process-creation logging to ensure the necessary telemetry for the rule is collected.
- Review any alerts generated by the
Detect Local Groups Reconnaissance Using WMICrule for suspiciouswmic.exeactivity, especially when originating from non-administrative contexts or uncommon user accounts.
Detection coverage 1
Detect Local Groups Reconnaissance Using WMIC
lowDetects the execution of 'wmic.exe group' to enumerate local system groups, a common adversary discovery technique to identify privileged users.
Detection queries are available on the platform. Get full rules →