-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathproc_creation_win_wmic_recon_group.yml
More file actions
29 lines (29 loc) · 1.09 KB
/
proc_creation_win_wmic_recon_group.yml
File metadata and controls
29 lines (29 loc) · 1.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
title: Local Groups Reconnaissance Via Wmic.EXE
id: 164eda96-11b2-430b-85ff-6a265c15bf32
status: test
description: |
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: ' group'
condition: all of selection*
falsepositives:
- Unknown
level: low