Application Terminated Via Wmic.EXE

calendar Aug 12, 2024 · attack.execution attack.t1047  ·
Share on: linkedin copy

Detects calls to the "terminate" function via wmic in order to kill an application

Sigma rule (View on GitHub)

 1title: Application Terminated Via Wmic.EXE
 2id: 49d9671b-0a0a-4c09-8280-d215bfd30662
 3related:
 4    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
 5      type: derived
 6status: test
 7description: Detects calls to the "terminate" function via wmic in order to kill an application
 8references:
 9    - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
10    - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-09-11
13tags:
14    - attack.execution
15    - attack.t1047
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\WMIC.exe'
22        - OriginalFileName: 'wmic.exe'
23    selection_cli:
24        CommandLine|contains|all:
25            - 'call'
26            - 'terminate'
27    condition: all of selection_*
28falsepositives:
29    - Unknown
30level: medium

References

  • LockFile Ransomware: Exploiting Exchange With ProxyShell

    Cyble's research on the LockFile ransomware that is attacking Microsoft Exchange servers using PowerShell attack.


    Read More

  • •`«–Ã]¼oÑKS²O›SΊý±¯#îÝ̪•£ÿy…ÛnUך;jß÷;d½7�\4чÙ_LˆefÈÀéö%W%Ì—>iu-`××µ§bΨþbU‡„P%•Æô™ÙÑ)a}ÄÌA�ë ‘0C Â´ ƒƒ8%s+ÁN */,4­âk� ¾©9¼ˆïëO,D˜ë›Ž-lh×:AÔ‘Tr¸†•ÆTqF•ßø{§%2ŸxŽRMÐ"êPÔJñÆ )@\u…=�...


    Read More

Related rules

to-top