Skip to content
Threat Feed
medium advisory

Potential Process Reconnaissance via Wmic.EXE

Adversaries leverage the native Windows Management Instrumentation Command-line (WMIC) utility with the 'process' flag to perform discovery of running processes on compromised systems, enabling further stages of attack such as privilege escalation or lateral movement.

This brief details the use of wmic.exe for process reconnaissance, a common tactic employed by adversaries to understand the environment of a compromised Windows system. While wmic.exe is a legitimate Windows utility, its specific invocation with the "process" keyword is frequently abused for discovery. This activity indicates an attacker is actively mapping out running processes, often looking for security software, vulnerable applications, or other indicators that could aid in privilege escalation, lateral movement, or establishing persistence. This technique is observed across various threat groups as a standard post-exploitation step, providing critical information to inform subsequent malicious actions. Detecting this behavior is crucial for early identification of reconnaissance activities before an attacker can progress to more impactful stages.

Impact

The successful use of wmic.exe for process reconnaissance itself does not directly cause immediate damage like data encryption or exfiltration. However, it provides adversaries with critical intelligence about the compromised system's operational landscape. This information can be leveraged to identify high-value targets, understand security control deployments, and discover opportunities for further exploitation or persistence. For instance, an attacker might identify vulnerable processes to inject malicious code, locate sensitive applications to target for data theft, or determine paths for privilege escalation. Failing to detect such reconnaissance can allow an attacker to proceed unchallenged, significantly increasing the risk of data compromise, system disruption, or financial loss.

Recommendation

  • Deploy the provided Sigma rule "Potential Process Reconnaissance via Wmic.EXE" to your SIEM and tune for your environment to detect suspicious wmic.exe invocations.
  • Ensure that Windows process creation logging, especially via Sysmon (Event ID 1), is enabled on all critical endpoints and servers to capture CommandLine arguments and Image paths for wmic.exe.
  • Investigate alerts generated by the rule, focusing on the parent process that initiated wmic.exe to determine the source of the reconnaissance activity.
  • Review the CommandLine of any wmic.exe process queries involving "process" that originate from non-standard user accounts or unexpected processes.

Detection coverage 1

Potential Process Reconnaissance via Wmic.EXE

medium

Detects the execution of 'wmic' with the 'process' flag, which might indicate an attempt to perform reconnaissance on running processes, as adversaries may use wmic to query for running processes and their details.

sigma tactics: discovery, execution techniques: T1047, T1057 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →