Potential Tampering With Security Products Via WMIC

Detects uninstallation or termination of security products using the WMIC utility

Sigma rule (View on GitHub)

 1title: Potential Tampering With Security Products Via WMIC
 2id: 847d5ff3-8a31-4737-a970-aeae8fe21765
 3related:
 4    - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
 5      type: derived
 6status: test
 7description: Detects uninstallation or termination of security products using the WMIC utility
 8references:
 9    - https://twitter.com/cglyer/status/1355171195654709249
10    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
11    - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
12    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
13    - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2021-01-30
16modified: 2023-02-14
17tags:
18    - attack.defense-evasion
19    - attack.t1562.001
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_cli_1:
25        CommandLine|contains|all:
26            - 'wmic'
27            - 'product where '
28            - 'call'
29            - 'uninstall'
30            - '/nointeractive'
31    selection_cli_2:
32        CommandLine|contains|all:
33            - 'wmic'
34            - 'caption like '
35        CommandLine|contains:
36            - 'call delete'
37            - 'call terminate'
38    selection_cli_3:
39        CommandLine|contains|all:
40            - 'process '
41            - 'where '
42            - 'delete'
43    selection_product:
44        CommandLine|contains:
45            - '%carbon%'
46            - '%cylance%'
47            - '%endpoint%'
48            - '%eset%'
49            - '%malware%'
50            - '%Sophos%'
51            - '%symantec%'
52            - 'Antivirus'
53            - 'AVG '
54            - 'Carbon Black'
55            - 'CarbonBlack'
56            - 'Cb Defense Sensor 64-bit'
57            - 'Crowdstrike Sensor'
58            - 'Cylance '
59            - 'Dell Threat Defense'
60            - 'DLP Endpoint'
61            - 'Endpoint Detection'
62            - 'Endpoint Protection'
63            - 'Endpoint Security'
64            - 'Endpoint Sensor'
65            - 'ESET File Security'
66            - 'LogRhythm System Monitor Service'
67            - 'Malwarebytes'
68            - 'McAfee Agent'
69            - 'Microsoft Security Client'
70            - 'Sophos Anti-Virus'
71            - 'Sophos AutoUpdate'
72            - 'Sophos Credential Store'
73            - 'Sophos Management Console'
74            - 'Sophos Management Database'
75            - 'Sophos Management Server'
76            - 'Sophos Remote Management System'
77            - 'Sophos Update Manager'
78            - 'Threat Protection'
79            - 'VirusScan'
80            - 'Webroot SecureAnywhere'
81            - 'Windows Defender'
82    condition: 1 of selection_cli_* and selection_product
83falsepositives:
84    - Legitimate administration
85level: high

References

Related rules

to-top