title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1047
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
        - TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
        - TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.discovery
    - attack.t1047
    - attack.t1053
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1110
    - attack.t1201
logsource:
    category: process_creation
    product: windows
detection:
    selection_binary:
        Image|endswith: '\crackmapexec.exe'
    selection_special:
        CommandLine|contains: ' -M pe_inject '
    selection_execute:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -x '
    selection_hash:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -p '
            - " -H 'NTHASH'"
    selection_module_mssql:
        CommandLine|contains|all:
            - ' mssql '
            - ' -u '
            - ' -p '
            - ' -M '
            - ' -d '
    selection_module_smb1:
        CommandLine|contains|all:
            - ' smb '
            - ' -u '
            - ' -H '
            - ' -M '
            - ' -o '
    selection_module_smb2:
        CommandLine|contains|all:
            - ' smb '
            - ' -u '
            - ' -p '
            - ' --local-auth'
    part_localauth_1:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -p '
    part_localauth_2:
        CommandLine|contains|all:
            - ' 10.'
            - ' 192.168.'
            - '/24 '
    condition: 1 of selection_* or all of part_localauth*
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
    - https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053
    - attack.t1059.003
    - attack.t1059.001
    - attack.s0106
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
            - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
            # cme/protocols/smb/atexec.py:109 (fileless output via share)
            - 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
            # cme/protocols/smb/atexec.py:111 (fileless output via share)
            - 'cmd.exe /C * > *\\Temp\\* 2>&1'
            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
            - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
            - 'powershell.exe -noni -nop -w 1 -enc '
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Potential Impacket Lateral Movement Activity
id: 10c14723-61c7-4c75-92ca-9af245723ad2
related:
    - id: e31f89f7-36fb-4697-8ab6-48823708353b
      type: obsolete
status: stable
description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
references:
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
date: 2019-09-03
modified: 2023-02-21
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_other:
        # *** wmiexec.py
        #    parent is wmiprvse.exe
        #    examples:
        #       cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
        #       cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
        # *** dcomexec.py -object MMC20
        #   parent is mmc.exe
        #   example:
        #       "C:\Windows\System32\cmd.exe" /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
        # *** dcomexec.py -object ShellBrowserWindow
        #  runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe
        #  example:
        #   "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1
        # *** smbexec.py
        #   parent is services.exe
        #   example:
        #       C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
        ParentImage|endswith:
            - '\wmiprvse.exe'        # wmiexec
            - '\mmc.exe'        # dcomexec MMC
            - '\explorer.exe'        # dcomexec ShellBrowserWindow
            - '\services.exe'        # smbexec
        CommandLine|contains|all:
            - 'cmd.exe'
            - '/Q'
            - '/c'
            - '\\\\127.0.0.1\\'
            - '&1'
    selection_atexec:
        ParentCommandLine|contains:
            - 'svchost.exe -k netsvcs'       # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
            - 'taskeng.exe'       # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
            # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
        CommandLine|contains|all:
            - 'cmd.exe'
            - '/C'
            - 'Windows\Temp\'
            - '&1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: PSExec and WMI Process Creations Block
id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
status: test
description: Detects blocking of process creations originating from PSExec and WMI commands
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
    - https://twitter.com/duff22b/status/1280166329660497920
author: Bhabesh Raj
date: 2020-07-14
modified: 2022-12-25
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1047
    - attack.t1569.002
logsource:
    product: windows
    service: windefend
    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
detection:
    selection:
        EventID: 1121
        ProcessName|endswith:
            - '\wmiprvse.exe'
            - '\psexesvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
      type: similar
    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
      type: similar
status: test
description: |
    Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
    to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
    malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
    The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
    with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
    LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
    - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
    - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
    - https://atomicredteam.io/defense-evasion/T1220/
    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
    - https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
    - attack.stealth
    - attack.t1047
    - attack.t1220
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cli:
        CommandLine|contains|windash: '/format:'
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
    - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1047
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_cli:
        CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1021.003
    - attack.t1047
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
            - 99fcfec4-5260-101b-bbcb-00aa0021347a
            - 000001a0-0000-0000-c000-000000000046
            - 00000131-0000-0000-c000-000000000046
            - 00000143-0000-0000-c000-000000000046
            - 00000000-0000-0000-c000-000000000046
    condition: selection
falsepositives:
    - Some administrative tasks on remote host
level: high

title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
    - https://redcanary.com/blog/child-processes/
    - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\scrcons.exe'
        Image|endswith:
            - '\svchost.exe'
            - '\dllhost.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\msbuild.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Autorun Registry Modified via WMI
id: c80e66d8-1780-48a9-b412-46663fd21ac0
status: experimental
description: |
    Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
references:
    - Internal Research
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.001
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_execution_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
        - ParentImage|endswith: '\wmiprvse.exe'
    selection_execution_cmd:
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    selection_suspicious_paths_1:
        CommandLine|contains:
            - ':\Perflogs'
            - :\ProgramData'
            - ':\Windows\Temp'
            - ':\Temp'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming'
            - ':\$Recycle.bin'
            - ':\Users\Default'
            - ':\Users\public'
            - '%temp%'
            - '%tmp%'
            - '%Public%'
            - '%AppData%'
    selection_suspicious_paths_user_1:
        CommandLine|contains: ':\Users\'
    selection_suspicious_paths_user_2:
        CommandLine|contains:
            - '\Favorites'
            - '\Favourites'
            - '\Contacts'
            - '\Music'
            - '\Pictures'
            - '\Documents'
            - '\Photos'
    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
falsepositives:
    - Legitimate administrative activity or software installations
level: high

title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
    - https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.t1047
    - attack.persistence
    - attack.t1546.003
logsource:
    product: windows
    category: wmi_event
detection:
    selection_destination:
        Destination|base64offset|contains:
            - 'WriteProcessMemory'
            - 'This program cannot be run in DOS mode'
            - 'This program must be run under Win32'
    condition: selection_destination
falsepositives:
    - Unknown
level: high

title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_paths:
        CommandLine|contains:
            - '.application'
            - '\AppData\Local\Temp\'
            - '\Content.Outlook\'
            - '\Downloads\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            # - '\AppData\Local\Temp\Temp?_'
            # - '\AppData\Local\Temp\Rar$'
            # - '\AppData\Local\Temp\7z'
            # - '\AppData\Local\Temp\wz'
            # - '\AppData\Local\Temp\peazip-tmp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Microsoft Office Child Process
id: 438025f9-5856-4663-83f7-52f878a70a50
related:
    - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
      type: derived
    - id: e1693bc8-7168-4eab-8718-cdcaa68a1738
      type: derived
    - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
      type: obsolete
    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
      type: obsolete
    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
      type: obsolete
status: test
description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
    - https://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml
    - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
    - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
    - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
    - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
date: 2018-04-06
modified: 2023-04-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1047
    - attack.t1204.002
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\EQNEDT32.EXE'
            - '\EXCEL.EXE'
            - '\MSACCESS.EXE'
            - '\MSPUB.exe'
            - '\ONENOTE.EXE'
            - '\POWERPNT.exe'
            - '\VISIO.exe'
            - '\WINWORD.EXE'
            - '\wordpad.exe'
            - '\wordview.exe'
    selection_child_processes:
        - OriginalFileName:
              - 'bitsadmin.exe'
              - 'CertOC.exe'
              - 'CertUtil.exe'
              - 'Cmd.Exe'
              - 'CMSTP.EXE'
              - 'cscript.exe'
              - 'curl.exe'
              - 'HH.exe'
              - 'IEExec.exe'
              - 'InstallUtil.exe'
              - 'javaw.exe'
              - 'Microsoft.Workflow.Compiler.exe'
              - 'msdt.exe'
              - 'MSHTA.EXE'
              - 'msiexec.exe'
              - 'Msxsl.exe'
              - 'odbcconf.exe'
              - 'pcalua.exe'
              - 'PowerShell.EXE'
              - 'RegAsm.exe'
              - 'RegSvcs.exe'
              - 'REGSVR32.exe'
              - 'RUNDLL32.exe'
              - 'schtasks.exe'
              - 'ScriptRunner.exe'
              - 'wmic.exe'
              - 'WorkFolders.exe'
              - 'wscript.exe'
        - Image|endswith:
              - '\AppVLP.exe'
              - '\bash.exe'
              - '\bitsadmin.exe'
              - '\certoc.exe'
              - '\certutil.exe'
              - '\cmd.exe'
              - '\cmstp.exe'
              - '\control.exe'
              - '\cscript.exe'
              - '\curl.exe'
              - '\forfiles.exe'
              - '\hh.exe'
              - '\ieexec.exe'
              - '\installutil.exe'
              - '\javaw.exe'
              - '\mftrace.exe'
              - '\Microsoft.Workflow.Compiler.exe'
              - '\msbuild.exe'
              - '\msdt.exe'
              - '\mshta.exe'
              - '\msidb.exe'
              - '\msiexec.exe'
              - '\msxsl.exe'
              - '\odbcconf.exe'
              - '\pcalua.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regasm.exe'
              - '\regsvcs.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\schtasks.exe'
              - '\scrcons.exe'
              - '\scriptrunner.exe'
              - '\sh.exe'
              - '\svchost.exe'
              - '\verclsid.exe'
              - '\wmic.exe'
              - '\workfolders.exe'
              - '\wscript.exe'
    selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
        Image|contains:
            - '\AppData\'
            - '\Users\Public\'
            - '\ProgramData\'
            - '\Windows\Tasks\'
            - '\Windows\Temp\'
            - '\Windows\System32\Tasks\'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Unknown
level: high

title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
    - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
      type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
    - https://thedfirreport.com/2020/10/08/ryuks-return/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'process '
            - 'call '
            - 'create '
        CommandLine|contains:
            # Add more susupicious paths and binaries as you see fit in your env
            - 'rundll32'
            - 'bitsadmin'
            - 'regsvr32'
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'powershell'
            - 'pwsh'
            - 'certutil'
            - 'cscript'
            - 'wscript'
            - 'mshta'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '\AppData\Local\'
            - '%temp%'
            - '%tmp%'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
    - id: 438025f9-5856-4663-83f7-52f878a70a50
      type: derived
    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
      type: obsolete
    - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
      type: obsolete
    - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
      type: obsolete
    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
      type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
    - attack.stealth
    - attack.t1204.002
    - attack.t1047
    - attack.t1218.010
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\MSACCESS.EXE'
            - '\EQNEDT32.EXE'
            - '\ONENOTE.EXE'
            - '\wordpad.exe'
            - '\wordview.exe'
    selection_wmic_img:
        - Image|endswith: '\wbem\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_wmic_cli:
        CommandLine|contains|all:
            - 'process'
            - 'create'
            - 'call'
        CommandLine|contains:
            # Add more suspicious LOLBINs as you see fit
            - 'regsvr32'
            - 'rundll32'
            - 'msiexec'
            - 'mshta'
            - 'verclsid'
            - 'wscript'
            - 'cscript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
      type: similar
    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
      type: similar
    - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
      type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
    - https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1047
    - attack.t1204.002
    - attack.t1218.010
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
    selection_children_1:
        # TODO: Add more LOLBINs or suspicious processes that make sens in your environment
        Image|endswith:
            - '\certutil.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\verclsid.exe'
            - '\wscript.exe'
    selection_children_2:
        # This is in a separate selection due to the nature of FP generated with CMD
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - 'cscript'
            - 'mshta'
            - 'powershell'
            - 'pwsh'
            - 'regsvr32'
            - 'rundll32'
            - 'wscript'
    filter_main_werfault:
        Image|endswith: '\WerFault.exe'
    filter_main_wmiprvse:
        Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
    filter_main_msiexec:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains: '/i '
    condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: T1047 Wmiprvse Wbemcomn DLL Hijack
id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-02-24
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: test
description: Detects parameters used by WMImplant
references:
    - https://github.com/FortyNorthSecurity/WMImplant
author: NVISO
date: 2020-03-26
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1047
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'WMImplant'
            - ' change_user '
            - ' gen_cli '
            - ' command_exec '
            - ' disable_wdigest '
            - ' disable_winrm '
            - ' enable_wdigest '
            - ' enable_winrm '
            - ' registry_mod '
            - ' remote_posh '
            - ' sched_job '
            - ' service_mod '
            - ' process_kill '
            # - ' process_start '
            - ' active_users '
            - ' basic_info '
            # - ' drive_list '
            # - ' installed_programs '
            - ' power_off '
            - ' vacant_system '
            - ' logon_events '
    condition: selection
falsepositives:
    - Administrative scripts that use the same keywords.
level: high

title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\wmiprvse.exe'
        ImageLoaded|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Application Removed Via Wmic.EXE
id: b53317a0-8acf-4fd1-8de8-a5401e776b96
related:
    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
      type: derived
status: test
description: Detects the removal or uninstallation of an application via "Wmic.EXE".
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
author: frack113
date: 2022-01-28
modified: 2024-07-02
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'uninstall'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Application Terminated Via Wmic.EXE
id: 49d9671b-0a0a-4c09-8280-d215bfd30662
related:
    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
      type: derived
status: test
description: Detects calls to the "terminate" function via wmic in order to kill an application
references:
    - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
    - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-11
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'terminate'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: test
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-08
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'computersystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Hardware Model Reconnaissance Via Wmic.EXE
id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
status: test
description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
references:
    - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
    - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
author: Florian Roth (Nextron Systems)
date: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
    - car.2016-03-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'csproduct'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053.002
    - attack.t1569.002
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'JobAdd'
        operation: 'atsvc'
    op2:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcEnableTask'
    op3:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRegisterTask'
    op4:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRun'
    op5:
        endpoint: 'IWbemServices'
        operation: 'ExecMethod'
    op6:
        endpoint: 'IWbemServices'
        operation: 'ExecMethodAsync'
    op7:
        endpoint: 'svcctl'
        operation: 'CreateServiceA'
    op8:
        endpoint: 'svcctl'
        operation: 'CreateServiceW'
    op9:
        endpoint: 'svcctl'
        operation: 'StartServiceA'
    op10:
        endpoint: 'svcctl'
        operation: 'StartServiceW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium

title: New Process Created Via Wmic.EXE
id: 526be59f-a573-4eea-b5f7-f0973207634d
related:
    - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
      type: derived
status: test
description: Detects new process creation using WMIC via the "process call create" flag
references:
    - https://www.sans.org/blog/wmic-for-incident-response/
    - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
date: 2019-01-16
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
    - car.2016-03-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'process'
            - 'call'
            - 'create'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Password Set to Never Expire via WMI
id: 7864a175-3654-4824-9f0d-f0da18ab27c0
status: experimental
description: |
    Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
references:
    - https://www.huntress.com/blog/the-unwanted-guest
author: "Daniel Koifman (KoifSec)"
date: 2025-07-30
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1047
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  wmic  useraccount where name='guest' set passwordexpires=false
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'useraccount'
            - ' set '
            - 'passwordexpires'
            - 'false'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium

title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: |
    Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
    Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
    This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
    - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
    - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
    - https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2025-03-17
tags:
    - attack.execution
    - attack.t1047
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        # Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
        CommandLine|contains:
            - 'AntiVirusProduct'
            - 'AntiSpywareProduct'
            - 'FirewallProduct'
    condition: all of selection_*
falsepositives:
    - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium

title: Potential Product Reconnaissance Via Wmic.EXE
id: 15434e33-5027-4914-88d5-3d4145ec25a9
status: test
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
references:
    - https://thedfirreport.com/2023/03/06/2022-year-in-review/
    - https://www.yeahhub.com/list-installed-programs-version-path-windows/
    - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
author: Nasreddine Bencherchali
date: 2023-02-14
modified: 2025-10-22
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'Product'
    filter_main_call_operations:
        # wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
        CommandLine|contains:
            - ' uninstall'
            - ' install'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
id: 68bcd73b-37ef-49cb-95fc-edc809730be6
related:
    - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
      type: similar
    - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
      type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
references:
    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-09-11
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' service get '
            - 'name,displayname,pathname,startmode'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
id: 692f0bec-83ba-4d04-af7e-e884a96059b6
related:
    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
      type: similar
    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
      type: similar
status: stable
description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
references:
    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
author: Markus Neis @Karneades
date: 2019-04-03
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1047
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\WmiPrvSE.exe'
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    condition: all of selection_*
falsepositives:
    - AppvClient
    - CCM
    - WinRM
level: medium

title: Process Reconnaissance Via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: test
description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022-01-01
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'process'
    filter_main_creation:
        CommandLine|contains|all:
            # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
            - 'call'
            - 'create'
    condition: all of selection* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
related:
    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
      type: similar
status: experimental
description: |
    Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
    In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
    In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
references:
    - https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
    - https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-15
tags:
    - attack.lateral-movement
    - attack.t1021.001
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\wmic.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'wmic.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_method:
        CommandLine|contains:
            - 'rdtoggle'
            - 'Win32_TerminalServiceSetting'
    selection_cli_property:
        CommandLine|contains: 'SetAllowTSConnections'
    condition: all of selection_*
falsepositives:
    - Legitimate system administrators enabling RDP for remote support
    - System configuration scripts during deployment
level: medium

title: Registry Manipulation via WMI Stdregprov
id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
status: experimental
description: |
    Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
    This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
    Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
references:
    - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
    - https://trustedsec.com/blog/wmi-for-script-kiddies
author: Daniel Koifman (KoifSec)
date: 2025-07-30
tags:
    - attack.persistence
    - attack.execution
    - attack.discovery
    - attack.defense-impairment
    - attack.t1047
    - attack.t1112
    - attack.t1012
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'stdregprov'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium

title: Service Reconnaissance Via Wmic.EXE
id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
related:
    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6
      type: similar
status: test
description: |
    An adversary might use WMI to check if a certain remote service is running on a remote device.
    When the test completes, a service information will be displayed on the screen if it exists.
    A common feedback message is that "No instance(s) Available" if the service queried is not running.
    A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2026-01-07
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'service'
    filter_main_win32_methods:
        CommandLine|contains:
            - 'Change'
            - 'Create'
            - 'Delete'
            - 'PauseService'
            - 'ResumeService'
            - 'SetSecurityDescriptor'
            - 'StartService'
            - 'StopService'
            - 'UserControlService'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Service Started/Stopped Via Wmic.EXE
id: 0b7163dc-7eee-4960-af17-c0cd517f92da
status: test
description: Detects usage of wmic to start or stop a service
references:
    - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' service '
            - ' call '
        CommandLine|contains:
            - 'stopservice'
            - 'startservice'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Service Startup Type Change Via Wmic.EXE
id: c0514f28-fdae-42df-b886-06e2b2bc5b37
status: experimental
description: |
    Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
references:
    - https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1047
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' service '
            - 'ChangeStartMode'
        CommandLine|contains:
            - 'Manual'
            - 'Disabled'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml

title: System Disk And Volume Reconnaissance Via Wmic.EXE
id: c79da740-5030-45ec-a2e0-479e824a562c
related:
    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
      type: similar
status: test
description: |
    An adversary might use WMI to discover information about the system, such as the volume name, size,
    free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
    observed being used by threat actors such as Volt Typhoon.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
date: 2024-02-02
modified: 2025-10-20
tags:
    - attack.execution
    - attack.discovery
    - attack.t1047
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        - CommandLine|contains:
              - ' volumename'
              - ' logicaldisk'
        - CommandLine|contains|all:
              - 'path'
              - 'win32_logicaldisk'
        - CommandLine|contains|all:
              - ' volume'
              - ' list '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: WMI Event Consumer Created Named Pipe
id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
status: test
description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
references:
    - https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2023-11-30
tags:
    - attack.t1047
    - attack.execution
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        Image|endswith: '\scrcons.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: WMIC Remote Command Execution
id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00
related:
    - id: e42af9df-d90b-4306-b7fb-05c863847ebd
      type: obsolete
    - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
      type: obsolete
status: test
description: Detects the execution of WMIC to query information on a remote system
references:
    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2025-10-22
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|windash: '/node:'
    filter_main_localhost:
        CommandLine|contains:
            - 'localhost'
            - '127.0.0.1'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: WMIC Unquoted Services Path Lookup - PowerShell
id: 09658312-bc27-4a3b-91c5-e49ab9046d1b
related:
    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6
      type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
references:
    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2022-11-25
tags:
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Get-WmiObject '
            - 'gwmi '
        ScriptBlockText|contains|all:
            - ' Win32_Service '
            - 'Name'
            - 'DisplayName'
            - 'PathName'
            - 'StartMode'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
status: test
description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
references:
    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
    - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_cli:
        CommandLine|contains: ' qfe'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: WmiPrvSE Spawned A Process
id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
related:
    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
      type: similar
    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
      type: similar
status: stable
description: Detects WmiPrvSE spawning a process
references:
    - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-15
modified: 2023-03-23
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\WmiPrvSe.exe'
    filter_logonid:
        LogonId:
            - '0x3e7'  # LUID 999 for SYSTEM
            - 'null'   # too many false positives
    filter_system_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_wmiprvse:
        Image|endswith: '\WmiPrvSE.exe'
    filter_werfault:
        Image|endswith: '\WerFault.exe'
    filter_null:  # some backends need the null value in a separate expression
        LogonId: null
    condition: selection and not 1 of filter_*
falsepositives:
    - False positives are expected (e.g. in environments where WinRM is used legitimately)
level: medium

title: XSL Script Execution Via WMIC.EXE
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
related:
    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
      type: similar
    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea
      type: similar
status: test
description: |
    Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
    Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
    Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-10-21
modified: 2026-01-24
tags:
    - attack.stealth
    - attack.t1047
    - attack.t1220
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cmd:
        CommandLine|contains|windash: '-format:'     # wmic process list -FORMAT /? or wmic process list /FORMAT /?
    filter_main_known_format:
        CommandLine|contains:
            - 'Format:List'
            - 'Format:htable'
            - 'Format:hform'
            - 'Format:table'
            - 'Format:mof'
            - 'Format:value'
            - 'Format:rawxml'
            - 'Format:xml'
            - 'Format:csv'
    filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
    - Static format arguments - https://petri.com/command-line-wmi-part-3
level: medium

title: Successful Account Login Via WMI
id: 5af54681-df95-4c26-854f-2565e13cfab0
status: stable
description: Detects successful logon attempts performed with WMI
references:
    - Internal Research
author: Thomas Patzke
date: 2019-12-04
modified: 2024-01-17
tags:
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        ProcessName|endswith: '\WmiPrvSE.exe'
    condition: selection
falsepositives:
    - Monitoring tools
    - Legitimate system administration
level: low