EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Process Created Via Wmic.EXE

Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.

MITRE ATT&CK

T1047
execution

Detection Query

selection:
  CommandLine|contains|all:
    - "process "
    - "call "
    - "create "
  CommandLine|contains:
    - rundll32
    - bitsadmin
    - regsvr32
    - "cmd.exe /c "
    - "cmd.exe /k "
    - "cmd.exe /r "
    - "cmd /c "
    - "cmd /k "
    - "cmd /r "
    - powershell
    - pwsh
    - certutil
    - cscript
    - wscript
    - mshta
    - \Users\Public\
    - \Windows\Temp\
    - \AppData\Local\
    - "%temp%"
    - "%tmp%"
    - "%ProgramData%"
    - "%appdata%"
    - "%comspec%"
    - "%localappdata%"
condition: selection

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2020-10-12

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1047
Raw Content
title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
    - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
      type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
    - https://thedfirreport.com/2020/10/08/ryuks-return/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'process '
            - 'call '
            - 'create '
        CommandLine|contains:
            # Add more susupicious paths and binaries as you see fit in your env
            - 'rundll32'
            - 'bitsadmin'
            - 'regsvr32'
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'powershell'
            - 'pwsh'
            - 'certutil'
            - 'cscript'
            - 'wscript'
            - 'mshta'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '\AppData\Local\'
            - '%temp%'
            - '%tmp%'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    condition: selection
falsepositives:
    - Unknown
level: high