Potential Product Class Reconnaissance Via Wmic.EXE
Adversaries are leveraging `wmic.exe` on Windows systems to perform reconnaissance, specifically enumerating installed antivirus, antispyware, and firewall products to aid in evasion and subsequent attack planning, posing a medium risk to affected organizations.
This threat brief details the use of wmic.exe by adversaries for reconnaissance purposes, specifically to identify security products installed on Windows endpoints. While wmic.exe is a legitimate Windows utility, its command-line invocation to query product classes like AntiVirusProduct, AntiSpywareProduct, or FirewallProduct is a tactic often employed by malicious actors. This behavior allows attackers to gain insights into an organization's defensive posture, enabling them to choose appropriate evasion techniques, tailor their payloads, or attempt to disable security mechanisms. This activity is a common precursor to more impactful stages of an attack, such as payload delivery, lateral movement, or data exfiltration, highlighting the importance of detecting such discovery attempts early in the kill chain.
Attack Chain
This threat brief describes a specific discovery technique, not a full attack chain. No attack chain information is available from the provided source.
Impact
Successful reconnaissance of security products allows adversaries to adapt their attack methods, bypassing or disabling defensive controls more effectively. This significantly increases the likelihood of a successful compromise, which can lead to severe consequences such as system disruption, data theft, ransomware deployment, and financial losses. The ability to identify and circumvent security software undermines an organization's overall cyber defenses, potentially granting attackers unfettered access to sensitive data and critical systems.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect
wmic.exeexecutions for security product enumeration. - Ensure
process_creationlogging (e.g., via Sysmon) is enabled on all Windows endpoints to captureCommandLinearguments necessary for this detection. - Investigate all alerts generated by the
Potential Product Class Reconnaissance Via Wmic.EXErule, as they indicate potential adversarial discovery activities.
Detection coverage 1
Potential Product Class Reconnaissance Via Wmic.EXE
mediumDetects the execution of WMIC in order to get a list of firewall, antivirus and antispyware products, often used by adversaries for reconnaissance.
Detection queries are available on the platform. Get full rules →