Suspicious Process Created Via Wmic.EXE

 1title: Suspicious Process Created Via Wmic.EXE
 2id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
 3related:
 4    - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
 5      type: derived
 6status: test
 7description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
 8references:
 9    - https://thedfirreport.com/2020/10/08/ryuks-return/
10    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2020-10-12
13modified: 2023-02-14
14tags:
15    - attack.execution
16    - attack.t1047
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains|all:
23            - 'process '
24            - 'call '
25            - 'create '
26        CommandLine|contains:
27            # Add more susupicious paths and binaries as you see fit in your env
28            - 'rundll32'
29            - 'bitsadmin'
30            - 'regsvr32'
31            - 'cmd.exe /c '
32            - 'cmd.exe /k '
33            - 'cmd.exe /r '
34            - 'cmd /c '
35            - 'cmd /k '
36            - 'cmd /r '
37            - 'powershell'
38            - 'pwsh'
39            - 'certutil'
40            - 'cscript'
41            - 'wscript'
42            - 'mshta'
43            - '\Users\Public\'
44            - '\Windows\Temp\'
45            - '\AppData\Local\'
46            - '%temp%'
47            - '%tmp%'
48            - '%ProgramData%'
49            - '%appdata%'
50            - '%comspec%'
51            - '%localappdata%'
52    condition: selection
53falsepositives:
54    - Unknown
55level: high