Process Creation Attempt via Wmic.EXE
Detects the attempt to create a process via "wmic" with the "process call create" flag, which might indicate an attempt to execute a malicious process on the compromised host. Adversaries may use wmic to execute a process on the compromised host as part of their attack. This event is triggered on on attempt and process creation can be either successful or unsuccessful.
Sigma rule (View on GitHub)
1title: Process Creation Attempt via Wmic.EXE
2id: 526be59f-a573-4eea-b5f7-f0973207634d
3related:
4 - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
5 type: derived
6status: test
7description: |
8 Detects the attempt to create a process via "wmic" with the "process call create" flag, which might
9 indicate an attempt to execute a malicious process on the compromised host. Adversaries may use
10 wmic to execute a process on the compromised host as part of their attack. This event is triggered on
11 on attempt and process creation can be either successful or unsuccessful.
12references:
13 - https://www.sans.org/blog/wmic-for-incident-response/
14 - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
15author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
16date: 2019-01-16
17modified: 2023-02-14
18tags:
19 - attack.execution
20 - attack.t1047
21 - car.2016-03-002
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img:
27 - Image|endswith: '\wmic.exe'
28 - OriginalFileName: 'wmic.exe'
29 selection_cli:
30 CommandLine|contains|all:
31 - 'process'
32 - 'call'
33 - 'create'
34 condition: all of selection_*
35falsepositives:
36 - Unknown
37level: medium
38simulation:
39 - type: atomic red team
40 name: WMI Execute Local Process
41 technique: T1047
42 atomic_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
43regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_process_creation/info.yml
References
Related rules
- Hardware Model Reconnaissance Via Wmic.EXE
- Application Removed Via Wmic.EXE
- Application Termination Attempt via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Potential Process Reconnaissance via Wmic.EXE