Hardware Model Reconnaissance Via Wmic.EXE

Rule Info

Name
Hardware Model Reconnaissance Via Wmic.EXE
Author
Florian Roth (Nextron Systems)
Description
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Reference
https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
Date
2023-02-14 00:00:00
Modified
None
Id
3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
Tags
attack.execution attack.t1047 car.2016-03-002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
chore: promote older rules status from `experimental` to `test` (#4651)
2024-01-01
c3fe2da99
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-02-16
362f4e4e6
Nasreddine Bencherchali
feat: update wmic rules
2023-02-14
4f59a13d4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022