Process Creation Attempt via Wmic.EXE

Detects the attempt to create a process via "wmic" with the "process call create" flag, which might indicate an attempt to execute a malicious process on the compromised host. Adversaries may use wmic to execute a process on the compromised host as part of their attack. This event is triggered on on attempt and process creation can be either successful or unsuccessful.

Sigma rule (View on GitHub)

 1title: Process Creation Attempt via Wmic.EXE
 2id: 526be59f-a573-4eea-b5f7-f0973207634d
 3related:
 4    - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
 5      type: derived
 6status: test
 7description: |
 8    Detects the attempt to create a process via "wmic" with the "process call create" flag, which might
 9    indicate an attempt to execute a malicious process on the compromised host. Adversaries may use
10    wmic to execute a process on the compromised host as part of their attack. This event is triggered on
11    on attempt and process creation can be either successful or unsuccessful.    
12references:
13    - https://www.sans.org/blog/wmic-for-incident-response/
14    - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
15author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
16date: 2019-01-16
17modified: 2023-02-14
18tags:
19    - attack.execution
20    - attack.t1047
21    - car.2016-03-002
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\wmic.exe'
28        - OriginalFileName: 'wmic.exe'
29    selection_cli:
30        CommandLine|contains|all:
31            - 'process'
32            - 'call'
33            - 'create'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: medium
38simulation:
39    - type: atomic red team
40      name: WMI Execute Local Process
41      technique: T1047
42      atomic_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
43regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_process_creation/info.yml

References

Related rules

to-top