WMIC Unusual Module Loads (RedCanary Threat Detection Report)
Detects the wmic process module loads potentially to perform application control bypasses. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: WMIC Unusual Module Loads (RedCanary Threat Detection Report)
2id: 674d5957-41a2-47df-ad91-1833379632a6
3status: experimental
4description: Detects the wmic process module loads potentially to perform application control bypasses. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1047
12logsource:
13 category: image_load
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\wmic.exe'
18 ImageLoaded|endswith:
19 - '\jscript.dll'
20 - '\vbscript.dll'
21 condition: selection
22falsepositives:
23 - Unknown
24level: low```
References
-
Windows Management Instrumentation (WMI) is a prevalent technique leveraged for lateral movement and discovery by adversaries.
Read More
Related rules
- Office Products Spawning WMI (RedCanary Threat Detection Report)
- WMI Reconnaissance (RedCanary Threat Detection Report)
- WMI Shadow Copy Deletion (RedCanary Threat Detection Report)
- WMI Suspicious Commands (RedCanary Threat Detection Report)
- WMI Suspicious Powershell Cmdlets (RedCanary Threat Detection Report)