Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
Sigma rule (View on GitHub)
1title: Potential Tampering With Security Products Via WMIC
2id: 847d5ff3-8a31-4737-a970-aeae8fe21765
3related:
4 - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
5 type: derived
6status: test
7description: Detects uninstallation or termination of security products using the WMIC utility
8references:
9 - https://twitter.com/cglyer/status/1355171195654709249
10 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
11 - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
12 - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
13 - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
14author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
15date: 2021-01-30
16modified: 2023-02-14
17tags:
18 - attack.defense-evasion
19 - attack.t1562.001
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_cli_1:
25 CommandLine|contains|all:
26 - 'wmic'
27 - 'product where '
28 - 'call'
29 - 'uninstall'
30 - '/nointeractive'
31 selection_cli_2:
32 CommandLine|contains|all:
33 - 'wmic'
34 - 'caption like '
35 CommandLine|contains:
36 - 'call delete'
37 - 'call terminate'
38 selection_cli_3:
39 CommandLine|contains|all:
40 - 'process '
41 - 'where '
42 - 'delete'
43 selection_product:
44 CommandLine|contains:
45 - '%carbon%'
46 - '%cylance%'
47 - '%endpoint%'
48 - '%eset%'
49 - '%malware%'
50 - '%Sophos%'
51 - '%symantec%'
52 - 'Antivirus'
53 - 'AVG '
54 - 'Carbon Black'
55 - 'CarbonBlack'
56 - 'Cb Defense Sensor 64-bit'
57 - 'Crowdstrike Sensor'
58 - 'Cylance '
59 - 'Dell Threat Defense'
60 - 'DLP Endpoint'
61 - 'Endpoint Detection'
62 - 'Endpoint Protection'
63 - 'Endpoint Security'
64 - 'Endpoint Sensor'
65 - 'ESET File Security'
66 - 'LogRhythm System Monitor Service'
67 - 'Malwarebytes'
68 - 'McAfee Agent'
69 - 'Microsoft Security Client'
70 - 'Sophos Anti-Virus'
71 - 'Sophos AutoUpdate'
72 - 'Sophos Credential Store'
73 - 'Sophos Management Console'
74 - 'Sophos Management Database'
75 - 'Sophos Management Server'
76 - 'Sophos Remote Management System'
77 - 'Sophos Update Manager'
78 - 'Threat Protection'
79 - 'VirusScan'
80 - 'Webroot SecureAnywhere'
81 - 'Windows Defender'
82 condition: 1 of selection_cli_* and selection_product
83falsepositives:
84 - Legitimate administration
85level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility