Registry Manipulation via WMI Stdregprov

Detects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.). This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.

Sigma rule (View on GitHub)

 1title: Registry Manipulation via WMI Stdregprov
 2id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
 3status: experimental
 4related:
 5    - id: a0e417e2-2fa1-40da-b6d2-e094cd5e1191 # Registry Enumeration via WMI Stdregprov
 6      type: similar
 7description: |
 8    Detects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.).
 9    This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
10    Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.    
11references:
12    - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
13    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
14    - https://trustedsec.com/blog/wmi-for-script-kiddies
15    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov
16author: Daniel Koifman (KoifSec)
17date: 2025-07-30
18modified: 2026-06-19
19tags:
20    - attack.execution
21    - attack.t1047
22    - attack.persistence
23    - attack.defense-impairment
24    - attack.t1112
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
30        - Image|endswith: '\wmic.exe'
31        - OriginalFileName: 'wmic.exe'
32    selection_cli:
33        CommandLine|contains|all:
34            - 'stdregprov'
35            - 'call'
36        CommandLine|contains:
37            - 'CreateKey'
38            - 'DeleteKey'
39            - 'DeleteValue'
40            - 'SetBinaryValue'
41            - 'SetDWORDValue'
42            - 'SetExpandedStringValue'
43            - 'SetMultiStringValue'
44            - 'SetQWORDValue'
45            - 'SetSecurityDescriptor'
46            - 'SetStringValue'
47    condition: all of selection_*
48falsepositives:
49    - Legitimate administrative activity
50level: medium
51regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification/info.yml

References

Related rules

to-top