Application Termination Attempt via Wmic.EXE
Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may use wmic to terminate security products or other applications on the compromised host. This event is triggered on on attempt and process creation can be either successful or unsuccessful.
Sigma rule (View on GitHub)
1title: Application Termination Attempt via Wmic.EXE
2id: 49d9671b-0a0a-4c09-8280-d215bfd30662
3related:
4 - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
5 type: derived
6status: test
7description: |
8 Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may
9 use wmic to terminate security products or other applications on the compromised host. This event is
10 triggered on on attempt and process creation can be either successful or unsuccessful.
11references:
12 - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
13 - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-09-11
16tags:
17 - attack.execution
18 - attack.t1047
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\WMIC.exe'
25 - OriginalFileName: 'wmic.exe'
26 selection_cli:
27 CommandLine|contains|all:
28 - 'call'
29 - 'terminate'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
34regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_terminate_application/info.yml
References
Related rules
- Application Removed Via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Potential Process Reconnaissance via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE