Skip to content
Threat Feed
medium advisory

Potential Product Class Reconnaissance Via Wmic.EXE

Adversaries are leveraging `wmic.exe` on Windows systems to perform reconnaissance, specifically enumerating installed antivirus, antispyware, and firewall products to aid in evasion and subsequent attack planning, posing a medium risk to affected organizations.

This threat brief details the use of wmic.exe by adversaries for reconnaissance purposes, specifically to identify security products installed on Windows endpoints. While wmic.exe is a legitimate Windows utility, its command-line invocation to query product classes like AntiVirusProduct, AntiSpywareProduct, or FirewallProduct is a tactic often employed by malicious actors. This behavior allows attackers to gain insights into an organization's defensive posture, enabling them to choose appropriate evasion techniques, tailor their payloads, or attempt to disable security mechanisms. This activity is a common precursor to more impactful stages of an attack, such as payload delivery, lateral movement, or data exfiltration, highlighting the importance of detecting such discovery attempts early in the kill chain.

Attack Chain

This threat brief describes a specific discovery technique, not a full attack chain. No attack chain information is available from the provided source.

Impact

Successful reconnaissance of security products allows adversaries to adapt their attack methods, bypassing or disabling defensive controls more effectively. This significantly increases the likelihood of a successful compromise, which can lead to severe consequences such as system disruption, data theft, ransomware deployment, and financial losses. The ability to identify and circumvent security software undermines an organization's overall cyber defenses, potentially granting attackers unfettered access to sensitive data and critical systems.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect wmic.exe executions for security product enumeration.
  • Ensure process_creation logging (e.g., via Sysmon) is enabled on all Windows endpoints to capture CommandLine arguments necessary for this detection.
  • Investigate all alerts generated by the Potential Product Class Reconnaissance Via Wmic.EXE rule, as they indicate potential adversarial discovery activities.

Detection coverage 1

Potential Product Class Reconnaissance Via Wmic.EXE

medium

Detects the execution of WMIC in order to get a list of firewall, antivirus and antispyware products, often used by adversaries for reconnaissance.

sigma tactics: discovery, execution techniques: T1047, T1082 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →