Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.). This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Sigma rule (View on GitHub)
1title: Registry Manipulation via WMI Stdregprov
2id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
3status: experimental
4related:
5 - id: a0e417e2-2fa1-40da-b6d2-e094cd5e1191 # Registry Enumeration via WMI Stdregprov
6 type: similar
7description: |
8 Detects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.).
9 This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
10 Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
11references:
12 - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
13 - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
14 - https://trustedsec.com/blog/wmi-for-script-kiddies
15 - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov
16author: Daniel Koifman (KoifSec)
17date: 2025-07-30
18modified: 2026-06-19
19tags:
20 - attack.execution
21 - attack.t1047
22 - attack.persistence
23 - attack.defense-impairment
24 - attack.t1112
25logsource:
26 category: process_creation
27 product: windows
28detection:
29 selection_img: # Example command simulated: WMIC /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
30 - Image|endswith: '\wmic.exe'
31 - OriginalFileName: 'wmic.exe'
32 selection_cli:
33 CommandLine|contains|all:
34 - 'stdregprov'
35 - 'call'
36 CommandLine|contains:
37 - 'CreateKey'
38 - 'DeleteKey'
39 - 'DeleteValue'
40 - 'SetBinaryValue'
41 - 'SetDWORDValue'
42 - 'SetExpandedStringValue'
43 - 'SetMultiStringValue'
44 - 'SetQWORDValue'
45 - 'SetSecurityDescriptor'
46 - 'SetStringValue'
47 condition: all of selection_*
48falsepositives:
49 - Legitimate administrative activity
50level: medium
51regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification/info.yml
References
Related rules
- Blue Mockingbird
- Blue Mockingbird - Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- DHCP Callout DLL Installation
- New DNS ServerLevelPluginDll Installed