Suspicious WMIC Execution Via Office Process

Jan 1, 2024 · attack.t1204.002 attack.t1047 attack.t1218.010 attack.execution attack.defense_evasion ·

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Sigma rule (View on GitHub)

 1title: Suspicious WMIC Execution Via Office Process
 2id: e1693bc8-7168-4eab-8718-cdcaa68a1738
 3related:
 4    - id: 438025f9-5856-4663-83f7-52f878a70a50
 5      type: derived
 6    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
 7      type: obsoletes
 8    - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
 9      type: obsoletes
10    - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
11      type: obsoletes
12    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
13      type: obsoletes
14status: test
15description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
16references:
17    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
18    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
19author: Vadim Khrykov, Cyb3rEng
20date: 2021/08/23
21modified: 2023/02/14
22tags:
23    - attack.t1204.002
24    - attack.t1047
25    - attack.t1218.010
26    - attack.execution
27    - attack.defense_evasion
28logsource:
29    product: windows
30    category: process_creation
31detection:
32    selection_parent:
33        ParentImage|endswith:
34            - '\WINWORD.EXE'
35            - '\EXCEL.EXE'
36            - '\POWERPNT.exe'
37            - '\MSPUB.exe'
38            - '\VISIO.exe'
39            - '\MSACCESS.EXE'
40            - '\EQNEDT32.EXE'
41            - '\ONENOTE.EXE'
42            - '\wordpad.exe'
43            - '\wordview.exe'
44    selection_wmic_img:
45        - Image|endswith: '\wbem\WMIC.exe'
46        - OriginalFileName: 'wmic.exe'
47    selection_wmic_cli:
48        CommandLine|contains|all:
49            - 'process'
50            - 'create'
51            - 'call'
52        CommandLine|contains:
53            # Add more suspicious LOLBINs as you see fit
54            - 'regsvr32'
55            - 'rundll32'
56            - 'msiexec'
57            - 'mshta'
58            - 'verclsid'
59            - 'wscript'
60            - 'cscript'
61    condition: all of selection_*
62falsepositives:
63    - Unknown
64level: high

References

Sodinokibi (aka REvil) Ransomware

Sodinokibi (aka REvil) has been one of the most prolific ransomware as a service (RaaS) groups over the last couple years. The ransomware family was purported to be behind the Travelex intrusion and current reports point to an attack against Acer for a reported $50 million ransom demand.

Read More
Detection-Ideas-Rules/Threat Intelligence/The DFIR Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml at 02bcbfc2bfb8b4da601bb30de0344ae453aa1afe · vadim-hunter/Detection-Ideas-Rules

Detection Ideas & Rules repository. Contribute to vadim-hunter/Detection-Ideas-Rules development by creating an account on GitHub.

Read More

Suspicious WMIC Execution Via Office Process

Sigma rule (View on GitHub)

References

Sodinokibi (aka REvil) Ransomware

Detection-Ideas-Rules/Threat Intelligence/The DFIR Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml at 02bcbfc2bfb8b4da601bb30de0344ae453aa1afe · vadim-hunter/Detection-Ideas-Rules

Related rules