File or Directory Enumeration Via WMIC

Rule Info

Name
File or Directory Enumeration Via WMIC
Author
Swachchhanda Shrawan Poudel, Christian Burkard
Description
Detects file or directory enumeration via WMIC using the Win32_Directory or CIM_DataFile classes. Attackers use these classes to list directories or files on specific drives (e.g., "C:") during post-exploitation reconnaissance - a technique that bypasses traditional dir /ls command monitoring.
Date
2026-07-01 00:00:00
Modified
None
Id
399f65fb-4310-407d-b24e-14a038fbb690
Tags
attack.discovery attack.t1083
Type
Nextron Sigma feed only (private)

Rule History