SigmaHQ/rules/windows/process_creation/win_susp_wmi_execution.yml

title: Suspicious WMI Execution
id: 526be59f-a573-4eea-b5f7-f0973207634d
status: experimental
description: Detects WMI executing suspicious commands
references:
    - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
    - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
    - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
author: Michael Haag, Florian Roth, juju4, oscd.community
date: 2019/01/16
modified: 2020/11/28
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wmic.exe'
    selection2:
        CommandLine|contains|all:
            - 'process'
            - 'call'
            - 'create '
    recon_part1:
        CommandLine|contains: ' path '
    recon_part2:
        CommandLine|contains:
            - 'AntiVirus'
            - 'Firewall'
        CommandLine|contains|all:
            - 'Product'
            - ' get '
    condition: (selection and selection2) or
               (selection and recon_part1 and recon_part2)
fields:
    - CommandLine
    - ParentCommandLine
tags:
    - attack.execution
    - attack.t1047
    - car.2016-03-002
falsepositives:
    - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine
level: medium
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Suspicious WMI Execution`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 526be59f-a573-4eea-b5f7-f0973207634d`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
			`description: Detects WMI executing suspicious commands`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/`
			`- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1`
			`- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/`
Update win_susp_wmi_execution.yml 2020-11-28 16:30:34 +00:00			`author: Michael Haag, Florian Roth, juju4, oscd.community`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2019/01/16`
Update win_susp_wmi_execution.yml 2020-11-28 17:01:06 +00:00			`modified: 2020/11/28`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
Update win_susp_wmi_execution.yml 2020-11-28 17:01:06 +00:00			`Image\|endswith: '\wmic.exe'`
Update win_susp_wmi_execution.yml 2020-11-28 16:30:34 +00:00			`selection2:`
Update win_susp_wmi_execution.yml 2020-11-28 17:01:06 +00:00			`CommandLine\|contains\|all:`
			`- 'process'`
			`- 'call'`
			`- 'create '`
			`recon_part1:`
			`CommandLine\|contains: ' path '`
			`recon_part2:`
			`CommandLine\|contains:`
			`- 'AntiVirus'`
			`- 'Firewall'`
			`CommandLine\|contains\|all:`
			`- 'Product'`
			`- ' get '`
Parenthesis for condition statement 2021-06-16 05:41:52 +00:00			`condition: (selection and selection2) or`
			`(selection and recon_part1 and recon_part2)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`fields:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- CommandLine`
			`- ParentCommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.execution`
			`- attack.t1047`
Incorporated MITRE CAR mapping from #55 2019-03-15 23:03:27 +00:00			`- car.2016-03-002`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
docs: improved false positive notes 2020-10-12 07:18:42 +00:00			`- If using Splunk, we recommend \| stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: medium`