Potential Windows Defender Tampering Via Wmic.EXE

 1title: Potential Windows Defender Tampering Via Wmic.EXE
 2id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
 3status: test
 4description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
 7    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 8    - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
 9author: frack113
10date: 2022-12-11
11modified: 2023-02-14
12tags:
13    - attack.defense-evasion
14    - attack.execution
15    - attack.t1047
16    - attack.t1562
17logsource:
18    product: windows
19    category: process_creation
20detection:
21    selection_img:
22        - OriginalFileName: 'wmic.exe'
23        - Image|endswith: '\WMIC.exe'
24    selection_cli:
25        CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
26    condition: all of selection_*
27falsepositives:
28    - Unknown
29level: high

References

• atomic-red-team/atomics/T1562.001/T1562.001.md at 5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• GootKit Malware Bypasses Windows Defender by Setting Path Exclusions

  

  As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.

  
  Read More

• IObit forums hacked to spread ransomware to its members

  

  Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.

  
  Read More

Related rules

• Potential SquiblyTwo Technique Execution
• HTML Help HH.EXE Suspicious Child Process
• Suspicious HH.EXE Execution
• Suspicious WMIC Execution Via Office Process
• Suspicious WmiPrvSE Child Process