Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Sigma rule (View on GitHub)
1title: Potential Windows Defender Tampering Via Wmic.EXE
2id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
3status: test
4description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
7 - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
8 - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
9author: frack113
10date: 2022/12/11
11modified: 2023/02/14
12tags:
13 - attack.credential_access
14 - attack.t1546.008
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection_img:
20 - OriginalFileName: 'wmic.exe'
21 - Image|endswith: '\WMIC.exe'
22 selection_cli:
23 CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
24 condition: all of selection_*
25falsepositives:
26 - Unknown
27level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.
Read More -
Windows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange DeroHE ransomware to its forum members.
Read More
Related rules
- Potential Suspicious Activity Using SeCEdit
- HackTool - CrackMapExec Process Patterns
- HackTool - Quarks PwDump Execution
- PUA - WebBrowserPassView Execution
- Persistence Via Sticky Key Backdoor