Suspicious Autorun Registry Modified via WMI

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1547.001 attack.t1047  ·
Share on: linkedin copy

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Sigma rule (View on GitHub)

 1title: Suspicious Autorun Registry Modified via WMI
 2id: c80e66d8-1780-48a9-b412-46663fd21ac0
 3status: experimental
 4description: |
 5        Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
 6references:
 7    - Internal Research
 8    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-17
11tags:
12    - attack.privilege-escalation
13    - attack.execution
14    - attack.persistence
15    - attack.t1547.001
16    - attack.t1047
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_execution_img:
22        - Image|endswith: '\wmic.exe'
23        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
24        - ParentImage|endswith: '\wmiprvse.exe'
25    selection_execution_cmd:
26        CommandLine|contains|all:
27            - 'reg'
28            - ' add '
29        CommandLine|contains:
30            - '\Software\Microsoft\Windows\CurrentVersion\Run'
31            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
32            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
33    selection_suspicious_paths_1:
34        CommandLine|contains:
35            - ':\Perflogs'
36            - :\ProgramData'
37            - ':\Windows\Temp'
38            - ':\Temp'
39            - '\AppData\Local\Temp'
40            - '\AppData\Roaming'
41            - ':\$Recycle.bin'
42            - ':\Users\Default'
43            - ':\Users\public'
44            - '%temp%'
45            - '%tmp%'
46            - '%Public%'
47            - '%AppData%'
48    selection_suspicious_paths_user_1:
49        CommandLine|contains: ':\Users\'
50    selection_suspicious_paths_user_2:
51        CommandLine|contains:
52            - '\Favorites'
53            - '\Favourites'
54            - '\Contacts'
55            - '\Music'
56            - '\Pictures'
57            - '\Documents'
58            - '\Photos'
59    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
60falsepositives:
61    - Legitimate administrative activity or software installations
62level: high

References

Related rules

to-top