New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
Sigma rule (View on GitHub)
1title: New Process Created Via Wmic.EXE
2id: 526be59f-a573-4eea-b5f7-f0973207634d
3related:
4 - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
5 type: derived
6status: test
7description: Detects new process creation using WMIC via the "process call create" flag
8references:
9 - https://www.sans.org/blog/wmic-for-incident-response/
10 - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
11author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
12date: 2019/01/16
13modified: 2023/02/14
14tags:
15 - attack.execution
16 - attack.t1047
17 - car.2016-03-002
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\wmic.exe'
24 - OriginalFileName: 'wmic.exe'
25 selection_cli:
26 CommandLine|contains|all:
27 - 'process'
28 - 'call'
29 - 'create'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
SANS Digital Forensics and Incident Response Blog blog pertaining to WMIC for incident response
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Office Products Spawning WMI (RedCanary Threat Detection Report)
- WMI Reconnaissance (RedCanary Threat Detection Report)
- WMI Shadow Copy Deletion (RedCanary Threat Detection Report)
- WMI Suspicious Commands (RedCanary Threat Detection Report)
- WMI Suspicious Powershell Cmdlets (RedCanary Threat Detection Report)