Suspicious Commands - WMI

 1title: Suspicious Commands - WMI
 2id: 5a6a9a1b-97d0-43d8-9dd7-3cdef056c3c3
 3status: experimental
 4description: |
 5    Looking for suspicious command-line parameters is another solid indicator of malice. Certain 
 6    red team and post-exploitation frameworks will spawn unique and unsigned binaries or commands 
 7    remotely using the well known process call create command, and we’ve got a couple different 
 8    detection methods that have alerted us to related activity over the years. Potentially 
 9    suspicious WMI command switches include create, node:, process, and call. Of course, the 
10    maliciousness of these commands are context-specific, and therefore, the following may 
11    require tuning or generate high volumes of false positives. Part of the RedCanary 2024 Threat 
12    Detection Report.    
13references:
14    - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
15author: RedCanary, Sigma formatting by Micah Babinski
16date: 2024/03/21
17tags:
18    - attack.execution
19    - attack.t1047
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\wmic.exe'
26        CommandLine|contains:
27            - 'create'
28            - 'node:'
29            - 'process'
30            - 'call'
31    condition: selection
32falsepositives:
33    - Unknown
34level: low```