Rule Info
Name
Startup Item Enumeration Via WMIC
Author
Swachchhanda Shrawan Poudel, Christian Burkard
Description
Detects enumeration of startup items via WMIC using the Win32_StartupCommand class.
Attackers query startup items to discover persistence mechanisms that automatically execute
malicious binaries or scripts during system boot or user logon.
Date
2026-07-01 00:00:00
Modified
None
Id
2822ca22-3368-437c-b8ac-c57354d2f9b2
Tags
attack.discovery attack.t1082
Type
Nextron Sigma feed only (private)
