Skip to content
Threat Feed
low advisory

Detect Local Groups Reconnaissance Using WMIC

Adversaries utilize the legitimate Windows Management Instrumentation Command-line (WMIC) tool, specifically `wmic.exe group`, to perform reconnaissance on local system groups and identify users with elevated permissions on targeted Windows systems.

This brief details the use of wmic.exe for local group reconnaissance, a technique commonly employed by adversaries as part of their discovery phase. While wmic.exe is a legitimate Windows utility for system administration, its use with the "group" flag allows attackers to enumerate local system groups and their members. This activity typically aims to identify privileged accounts, such as local administrators, to facilitate privilege escalation or lateral movement within a compromised environment. The detection focuses on identifying this specific command-line execution pattern, providing security teams with visibility into potential reconnaissance attempts. This is a general technique detection rather than a specific campaign, but provides crucial early warning indicators for further adversary activity.

Attack Chain

As this brief focuses on a specific discovery technique rather than a complete attack campaign, a full attack chain cannot be provided. However, the use of wmic.exe group typically occurs after initial access has been established.

  1. Initial Access: Adversary gains initial foothold on a Windows system (e.g., via phishing, exploit, RDP brute-force).
  2. Execution: Adversary executes wmic.exe via command line or script.
  3. Discovery: wmic.exe group is run to query local user groups.
  4. Information Gathering: Attacker gathers information on group memberships, focusing on privileged groups like "Administrators".
  5. Target Identification: Attacker identifies potential accounts for privilege escalation or lateral movement.
  6. Next Stage: Attacker proceeds with further actions based on discovered information (e.g., credential dumping, lateral movement, privilege escalation).

Impact

While the direct impact of local group reconnaissance using wmic.exe is limited to information disclosure, successful execution of this technique significantly aids adversaries in achieving their primary objectives. By identifying privileged accounts, attackers can more efficiently plan their privilege escalation and lateral movement strategies. The successful identification of administrator accounts can lead to full system compromise, data exfiltration, deployment of ransomware, or establishment of persistent access across the network. Without detection, this seemingly benign activity can lay the groundwork for severe and widespread damage.

Recommendation

  • Deploy the Sigma rule in this brief to your SIEM and tune for your environment.
  • Enable Sysmon process-creation logging to ensure the necessary telemetry for the rule is collected.
  • Review any alerts generated by the Detect Local Groups Reconnaissance Using WMIC rule for suspicious wmic.exe activity, especially when originating from non-administrative contexts or uncommon user accounts.

Detection coverage 1

Detect Local Groups Reconnaissance Using WMIC

low

Detects the execution of 'wmic.exe group' to enumerate local system groups, a common adversary discovery technique to identify privileged users.

sigma tactics: discovery techniques: T1069.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →