Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
Sigma rule (View on GitHub)
1title: Potential Tampering With Security Products Via WMIC
2id: 847d5ff3-8a31-4737-a970-aeae8fe21765
3related:
4 - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
5 type: derived
6status: test
7description: Detects uninstallation or termination of security products using the WMIC utility
8references:
9 - https://twitter.com/cglyer/status/1355171195654709249
10 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
11 - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
12 - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
13 - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2021/01/30
16modified: 2023/02/14
17tags:
18 - attack.defense_evasion
19 - attack.t1562.001
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_cli_1:
25 CommandLine|contains|all:
26 - 'wmic'
27 - 'product where '
28 - 'call'
29 - 'uninstall'
30 - '/nointeractive'
31 selection_cli_2:
32 CommandLine|contains|all:
33 - 'wmic'
34 - 'caption like '
35 CommandLine|contains:
36 - 'call delete'
37 - 'call terminate'
38 selection_cli_3:
39 CommandLine|contains|all:
40 - 'process '
41 - 'where '
42 - 'delete'
43 selection_product:
44 CommandLine|contains:
45 - '%carbon%'
46 - '%cylance%'
47 - '%endpoint%'
48 - '%eset%'
49 - '%malware%'
50 - '%Sophos%'
51 - '%symantec%'
52 - 'Antivirus'
53 - 'AVG '
54 - 'Carbon Black'
55 - 'CarbonBlack'
56 - 'Cb Defense Sensor 64-bit'
57 - 'Crowdstrike Sensor'
58 - 'Cylance '
59 - 'Dell Threat Defense'
60 - 'DLP Endpoint'
61 - 'Endpoint Detection'
62 - 'Endpoint Protection'
63 - 'Endpoint Security'
64 - 'Endpoint Sensor'
65 - 'ESET File Security'
66 - 'LogRhythm System Monitor Service'
67 - 'Malwarebytes'
68 - 'McAfee Agent'
69 - 'Microsoft Security Client'
70 - 'Sophos Anti-Virus'
71 - 'Sophos AutoUpdate'
72 - 'Sophos Credential Store'
73 - 'Sophos Management Console'
74 - 'Sophos Management Database'
75 - 'Sophos Management Server'
76 - 'Sophos Remote Management System'
77 - 'Sophos Update Manager'
78 - 'Threat Protection'
79 - 'VirusScan'
80 - 'Webroot SecureAnywhere'
81 - 'Windows Defender'
82 condition: 1 of selection_cli_* and selection_product
83falsepositives:
84 - Legitimate administration
85level: high
References
-
-
In this intrusion, we observed the threat actors use multiple DLL Beacons that would call out to different Cobalt Strike C2 channels. The threat actors used batch scripts during the intrusion for a number of purposes, primarily to disable antivirus programs and execute payloads.
Read More -
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned the entity known as Evil Corp in December 2019, citing the group's extensive development and use and control of the...
Read More -
This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.
Read More -
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
Read More
Related rules
- Removal Of AMSI Provider Registry Keys
- Potential AMSI Bypass Via .NET Reflection
- NetNTLM Downgrade Attack
- Raccine Uninstall
- Powershell MS Defender Tampering - ScriptBlockLogging