Potential Windows Defender Tampering Via Wmic.EXE

 1title: Potential Windows Defender Tampering Via Wmic.EXE
 2id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
 3status: test
 4description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
 7    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 8    - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
 9author: frack113
10date: 2022-12-11
11modified: 2023-02-14
12tags:
13    - attack.credential-access
14    - attack.t1546.008
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        - OriginalFileName: 'wmic.exe'
21        - Image|endswith: '\WMIC.exe'
22    selection_cli:
23        CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
24    condition: all of selection_*
25falsepositives:
26    - Unknown
27level: high

References

• atomic-red-team/atomics/T1562.001/T1562.001.md at 5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• GootKit Malware Bypasses Windows Defender by Setting Path Exclusions

  

  As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.

  
  Read More

• IObit forums hacked to spread ransomware to its members

  

  Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.

  
  Read More

Related rules

• Potential Suspicious Activity Using SeCEdit
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• ADCS Certificate Template Configuration Vulnerability
• ADCS Certificate Template Configuration Vulnerability with Risky EKU