Suspicious Autorun Registry Modified via WMI

calendar May 12, 2025 · attack.execution attack.persistence attack.t1547.001 attack.t1047  ·
Share on: linkedin copy

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Sigma rule (View on GitHub)

 1title: Suspicious Autorun Registry Modified via WMI
 2id: c80e66d8-1780-48a9-b412-46663fd21ac0
 3status: experimental
 4description: |
 5        Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
 6references:
 7    - Internal Research
 8    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-02-17
11tags:
12    - attack.execution
13    - attack.persistence
14    - attack.t1547.001
15    - attack.t1047
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_execution_img:
21        - Image|endswith: '\wmic.exe'
22        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
23        - ParentImage|endswith: '\wmiprvse.exe'
24    selection_execution_cmd:
25        CommandLine|contains|all:
26            - 'reg'
27            - ' add '
28        CommandLine|contains:
29            - '\Software\Microsoft\Windows\CurrentVersion\Run'
30            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
31            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
32    selection_suspicious_paths_1:
33        CommandLine|contains:
34            - ':\Perflogs'
35            - :\ProgramData'
36            - ':\Windows\Temp'
37            - ':\Temp'
38            - '\AppData\Local\Temp'
39            - '\AppData\Roaming'
40            - ':\$Recycle.bin'
41            - ':\Users\Default'
42            - ':\Users\public'
43            - '%temp%'
44            - '%tmp%'
45            - '%Public%'
46            - '%AppData%'
47    selection_suspicious_paths_user_1:
48        CommandLine|contains: ':\Users\'
49    selection_suspicious_paths_user_2:
50        CommandLine|contains:
51            - '\Favorites'
52            - '\Favourites'
53            - '\Contacts'
54            - '\Music'
55            - '\Pictures'
56            - '\Documents'
57            - '\Photos'
58    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
59falsepositives:
60    - Legitimate administrative activity or software installations
61level: high

References

Related rules

to-top