WMIC Suspicious Commands
Detects spawning of unique and unsigned binaries or commands remotely using the well known process call create command. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: WMIC Suspicious Commands
2id: b772987f-ca62-4c24-ab78-a93ebb561d96
3status: experimental
4description: Detects spawning of unique and unsigned binaries or commands remotely
5 using the well known process call create command. Inspired by the 2022 Red Canary
6 Threat Detection report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
9author: Micah Babinski
10date: 2022/11/03
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\wmic.exe'
20 CommandLine|contains:
21 - 'create'
22 - 'node:'
23 - 'process'
24 - 'call'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium```
References
-
Windows Management Instrumentation (WMI) is a prevalent technique leveraged for lateral movement and discovery by adversaries.
Read More
Related rules
- Suspicious WMI-Related Powershell Cmdlets
- WMIC Suspicious Commands
- WMIC Suspicious Commands
- Base64 Encoding in CMD or Powershell
- Command Shell Bypassing Security Controls