Techniques
Sample rules
Potential Product Class Reconnaissance Via Wmic.EXE
- source: sigma
- technicques:
- t1047
- t1082
Description
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- AntiVirusProduct
- AntiSpywareProduct
- FirewallProduct
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe