From 696e0b83ffdeeae6190cdfb449cbab5f11b644c8 Mon Sep 17 00:00:00 2001 From: IntelScott <99858125+tropChaud@users.noreply.github.com> Date: Thu, 26 Jan 2023 17:25:07 -0500 Subject: [PATCH 1/5] Create proc_creation_win_wmic_system_info_discovery.yml --- ...reation_win_wmic_system_info_discovery.yml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml diff --git a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml new file mode 100644 index 00000000000..627e3ab57c8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml @@ -0,0 +1,41 @@ +title: System Information Discovery with WMIC +id: 9d5a1274-922a-49d0-87f3-8c653483b909 +status: experimental +description: Detect use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic + - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ + - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar + - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/ + - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/ +author: TropChaud +date: 2023/01/26 +tags: + - attack.discovery + - attack.t1082 +logsource: + category: process_creation + product: windows +detection: + selection_wmic: + - Description: 'WMI Commandline Utility' + - OriginalFileName: 'wmic.exe' + - Image|endswith: + - '\WMIC.exe' + - CommandLine|contains: 'wmic' + selection_commands: + CommandLine|contains: + - 'cpu get name' + - 'MEMPHYSICAL get MaxCapacity' + - 'baseboard get product' + - 'baseboard get version' + - 'bios get SMBIOSBIOSVersion' + - 'path win32_VideoController get name' + - 'path win32_VideoController get DriverVersion' + - 'path win32_VideoController get VideoModeDescription' + - 'OS get Caption,OSArchitecture,Version' + - 'DISKDRIVE get Caption' + condition: all of selection_* +falsepositives: + - Unknown +level: medium From d380862b69fdd31e6300f0c339e9172cc074534c Mon Sep 17 00:00:00 2001 From: IntelScott <99858125+tropChaud@users.noreply.github.com> Date: Thu, 26 Jan 2023 17:36:14 -0500 Subject: [PATCH 2/5] Update proc_creation_win_wmic_system_info_discovery.yml Fixing list with only one element --- .../proc_creation_win_wmic_system_info_discovery.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml index 627e3ab57c8..501dd10f47e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml @@ -20,8 +20,7 @@ detection: selection_wmic: - Description: 'WMI Commandline Utility' - OriginalFileName: 'wmic.exe' - - Image|endswith: - - '\WMIC.exe' + - Image|endswith: '\WMIC.exe' - CommandLine|contains: 'wmic' selection_commands: CommandLine|contains: From ce608f410314146842ed899a46ebd3d1d651675f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:56:09 +0100 Subject: [PATCH 3/5] fix: update description Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../proc_creation_win_wmic_system_info_discovery.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml index 501dd10f47e..d0beb710484 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml @@ -1,7 +1,11 @@ title: System Information Discovery with WMIC id: 9d5a1274-922a-49d0-87f3-8c653483b909 status: experimental -description: Detect use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023. +description: | + Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, + including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, + and GPU driver products/versions. + Some of these commands were used by Aurora Stealer in late 2022/early 2023. references: - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ From 4808025de3c7ca3e5b57a2b19137d3ebd5473324 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 6 Feb 2023 13:58:03 +0100 Subject: [PATCH 4/5] fix: remove cli option --- .../proc_creation_win_wmic_system_info_discovery.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml index d0beb710484..b2abc8510b3 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml @@ -25,7 +25,6 @@ detection: - Description: 'WMI Commandline Utility' - OriginalFileName: 'wmic.exe' - Image|endswith: '\WMIC.exe' - - CommandLine|contains: 'wmic' selection_commands: CommandLine|contains: - 'cpu get name' From dc2d2f9d6dbf95552572744a5bbdbac8b610d865 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 6 Feb 2023 14:03:37 +0100 Subject: [PATCH 5/5] fix: update title --- .../proc_creation_win_wmic_system_info_discovery.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml index b2abc8510b3..d65c616bb0a 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_system_info_discovery.yml @@ -1,8 +1,8 @@ -title: System Information Discovery with WMIC +title: Potential System Information Discovery Via Wmic.EXE id: 9d5a1274-922a-49d0-87f3-8c653483b909 status: experimental description: | - Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, + Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.