WMIC Suspicious Commands
Detects suspicious parent-child relationships with the wmiprvse command. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: WMIC Suspicious Commands
2id: 9c3367de-94fd-4a46-bc9f-d2943bd32025
3status: experimental
4description: Detects suspicious parent-child relationships with the wmiprvse command.
5 Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.execution
12 - attack.t1047
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\wmiprvse.exe'
19 Image|endswith:
20 - '\rundll32.exe'
21 - '\msbuild.exe'
22 - '\powershell.exe'
23 - '\cmd.exe'
24 - '\mshta.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium```
References
-
Windows Management Instrumentation (WMI) is a prevalent technique leveraged for lateral movement and discovery by adversaries.
Read More
Related rules
- Suspicious WMI-Related Powershell Cmdlets
- WMIC Suspicious Commands
- WMIC Suspicious Commands
- Base64 Encoding in CMD or Powershell
- Command Shell Bypassing Security Controls