Rule Info
Name
File or Directory Enumeration Via WMIC
Author
Swachchhanda Shrawan Poudel, Christian Burkard
Description
Detects file or directory enumeration via WMIC using the Win32_Directory or CIM_DataFile classes.
Attackers use these classes to list directories or files on specific drives (e.g., "C:")
during post-exploitation reconnaissance - a technique that bypasses traditional dir /ls command monitoring.
Date
2026-07-01 00:00:00
Modified
None
Id
399f65fb-4310-407d-b24e-14a038fbb690
Tags
attack.discovery attack.t1083
Type
Nextron Sigma feed only (private)
