Attempts to detect system changes made by Blue Mockingbird

Read More

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

Read More

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Read More

Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.

Read More

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Read More

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Read More

Detects the removal or uninstallation of an application via "Wmic.EXE".

Read More

Detects calls to the "terminate" function via wmic in order to kill an application

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects various execution patterns of the CrackMapExec pentesting framework

Read More

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Read More

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Read More

Detects new process creation using WMIC via the "process call create" flag

Read More

Detects specific process characteristics of Maze ransomware word document droppers

Read More

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Read More

Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts

Read More

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Read More

Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.

Read More

Detects blocking of process creations originating from PSExec and WMI commands

Read More

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Read More

Detects a suspicious child process of Script Event Consumer (scrcons.exe).

Read More

An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable

Read More

Detects usage of wmic to start or stop a service

Read More

Detects successful logon attempts performed with WMI

Read More

Detects suspicious encoded payloads in WMI Event Consumers

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Read More

Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.

Read More

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Read More

Detects suspicious and uncommon child processes of WmiPrvSE

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Read More

Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports

Read More

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

Read More

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

Read More

Detects the execution of WMIC to query information on a remote system

Read More

Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts

Read More

Detects the creation of the default output filename used by the wmiexec tool

Read More

Detects parameters used by WMImplant

Read More

Detects WmiPrvSE spawning a process

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

It’s almost always malicious when wmic.exe spawns as a child process of Microsoft Office and similar products. As such, it makes sense to examine the chain of execution and follow-on activity when this occurs. The following is a non-exhaustive example analytic that will catch some of this activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

Looking for suspicious command-line parameters is another solid indicator of malice. Certain red team and post-exploitation frameworks will spawn unique and unsigned binaries or commands remotely using the well known process call create command, and we’ve got a couple different detection methods that have alerted us to related activity over the years. Potentially suspicious WMI command switches include create, node:, process, and call. Of course, the maliciousness of these commands are context-specific, and therefore, the following may require tuning or generate high volumes of false positives. Part of the RedCanary 2024 Threat Detection Report.

Read More

There are numerous default PowerShell cmdlets that allow administrators to leverage WMI via PowerShell. Both adversaries and administrators use these cmdlets to query the operating system or execute commands, either locally or remotely. Cmdlets like Get-WMIObject are often used for reconnaissance. Part of the RedCanary 2024 Threat Detection Report.

Read More

In general, trusted binaries and known administrative tools and processes will initiate WMI activity. As such, it makes sense to look for known bad processes launching WMI or deviations from the expected where a legitimate but unusual Windows binary spawns WMI—or spawns from it. The following is an amalgamation of several analytics that can detect a wide array of threats, ranging from red team activity to web shells to coinminers. Part of the RedCanary 2024 Threat Detection Report.

Read More

By monitoring and detecting on module loads, you can catch a variety of different malicious activities, including defense evasion and credential theft. In cases where an adversary is using WMI for credential theft, consider looking for the execution of wmiprvse.exe (or its child processes) with unusual module loads like samlib.dll or vaultcli.dll. WMI is also a useful vehicle for bypassing application controls, and we commonly see adversaries—real and simulated–using a WMI bypass method called “SquibblyTwo.” The following pseudo-detection analytic is designed specifically to catch application control bypasses, but you can likely adapt it to detect other threats by substituting in a different DLL or by removing the command. Part of the RedCanary 2024 Threat Detection Report.

Read More

Reconnaissance is harder to detect because it looks very similar to normal admin behavior. Even so, we detect a relatively high volume of adversaries leveraging WMI to quickly gather domain information such as users, groups, or computers in the domain. The following may help you detect related activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

It’s not uncommon for ransomware operators to leverage WMI to delete volume shadows, significantly complicating the process for recovering access to encrypted systems and files. If you want to detect ransomware using WMI to delete shadow copies, consider looking for wmic.exe execution with command lines including shadowcopy or delete. Part of the RedCanary 2024 Threat Detection Report.

Read More

This detection analytic looks for wmiprvse.exe spawn cmd.exe with the following command line, cmd.exe /Q /c ', ' 1 \\', ' 2 &1. These strings are specific to the execution of wmiexe.py, which allows a semi-interactive shell used via WMI. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects MS Office applications spawning WMI processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the wmic reconnaissance activity. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects wmic shadow copy deletion activity. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the wmic process with suspicious options. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects WMI-related suspicious powershell cmdlets. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the WMI provider host spawning suspicious processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the wmic process module loads potentially to perform application control bypasses. Part of the RedCanary 2023 Threat Detection Report.

Read More

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

Read More

Detects potential adversaries using powershell WMI-related cmdlets to query the operating system or execute commands, either locally or remotely. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects adversaries leveraging WMI to gather domain information such as users, groups, AV product in use, or computers in the domain. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects suspicious parent-child relationships with the wmiprvse command. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects spawning of unique and unsigned binaries or commands remotely using the well known process call create command. Inspired by the 2022 Red Canary Threat Detection report.

Read More