Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Sigma rule (View on GitHub)
1title: Registry Manipulation via WMI Stdregprov
2id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
3status: experimental
4description: |
5 Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
6 This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
7 Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
8references:
9 - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
10 - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
11 - https://trustedsec.com/blog/wmi-for-script-kiddies
12author: Daniel Koifman (KoifSec)
13date: 2025-07-30
14tags:
15 - attack.persistence
16 - attack.execution
17 - attack.defense-evasion
18 - attack.discovery
19 - attack.t1047
20 - attack.t1112
21 - attack.t1012
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_img: # Example command simulated: WMIC /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
27 - Image|endswith: '\wmic.exe'
28 - OriginalFileName: 'wmic.exe'
29 selection_cli:
30 CommandLine|contains|all:
31 - 'call'
32 - 'stdregprov'
33 condition: all of selection_*
34falsepositives:
35 - Legitimate administrative activity
36level: medium
References
-
Imagine a ransomware attack that's so old-school it's using VBScript and a built-in Windows feature for encryption.
Read More -
My typical engagements are mostly Red Teams, so I do not often get a chance to play with terminal server application breakouts—but on a recent engagement, I did. For me, it was a great refresher on...
Read More -
A consumer can enumerate data, query, run methods, or subscribe to events. As mentioned, WMI is really a way of viewing and/or modifying system data, and…
Read More
Related rules
- Blue Mockingbird
- Blue Mockingbird - Registry
- Operation Wocao Activity
- Operation Wocao Activity - Security
- HackTool - SharpUp PrivEsc Tool Execution