Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Sigma rule (View on GitHub)
1title: Registry Manipulation via WMI Stdregprov
2id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
3status: experimental
4description: |
5 Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
6 This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
7 Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
8references:
9 - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
10 - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
11 - https://trustedsec.com/blog/wmi-for-script-kiddies
12author: Daniel Koifman (KoifSec)
13date: 2025-07-30
14tags:
15 - attack.execution
16 - attack.defense-evasion
17 - attack.discovery
18 - attack.t1047
19 - attack.t1112
20 - attack.t1012
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img: # Example command simulated: WMIC /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
26 - Image|endswith: '\wmic.exe'
27 - OriginalFileName: 'wmic.exe'
28 selection_cli:
29 CommandLine|contains|all:
30 - 'call'
31 - 'stdregprov'
32 condition: all of selection_*
33falsepositives:
34 - Legitimate administrative activity
35level: medium
References
-
Imagine a ransomware attack that's so old-school it's using VBScript and a built-in Windows feature for encryption.
Read More -
My typical engagements are mostly Red Teams, so I do not often get a chance to play with terminal server application breakouts—but on a recent engagement, I did. For me, it was a great refresher on...
Read More -
Use WMI to easily access and manage system data, with tools like Wmic.exe, WBEM tester tool, CIM Studio, WinRM tool, and PowerShell, allowing for remote…
Read More
Related rules
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Potential Baby Shark Malware Activity
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Suspicious Microsoft Office Child Process