Environment Variable Enumeration Via WMIC

Rule Info

Name
Environment Variable Enumeration Via WMIC
Author
Swachchhanda Shrawan Poudel, Christian Burkard
Description
Detects enumeration of environment variables via WMIC using the Win32_Environment class. Attackers query "environment get name,variablevalue" during host reconnaissance to discover paths, usernames, and configuration values useful for lateral movement or payload staging.
Date
2026-07-01 00:00:00
Modified
None
Id
10bae869-e9e3-4700-b967-0e97dbca82cc
Tags
attack.discovery attack.t1082
Type
Nextron Sigma feed only (private)

Rule History