Application Termination Attempt via Wmic.EXE

Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may use wmic to terminate security products or other applications on the compromised host. This event is triggered on on attempt and process creation can be either successful or unsuccessful.

Sigma rule (View on GitHub)

 1title: Application Termination Attempt via Wmic.EXE
 2id: 49d9671b-0a0a-4c09-8280-d215bfd30662
 3related:
 4    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
 5      type: derived
 6status: test
 7description: |
 8    Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may
 9    use wmic to terminate security products or other applications on the compromised host. This event is
10    triggered on on attempt and process creation can be either successful or unsuccessful.    
11references:
12    - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
13    - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-09-11
16tags:
17    - attack.execution
18    - attack.t1047
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\WMIC.exe'
25        - OriginalFileName: 'wmic.exe'
26    selection_cli:
27        CommandLine|contains|all:
28            - 'call'
29            - 'terminate'
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: medium
34regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_terminate_application/info.yml

References

Related rules

to-top