← Back to Explore
sigmamediumHunting
Application Termination Attempt via Wmic.EXE
Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may use wmic to terminate security products or other applications on the compromised host. This event is triggered on on attempt and process creation can be either successful or unsuccessful.
Detection Query
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains|all:
- call
- terminate
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-09-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1047
Raw Content
title: Application Termination Attempt via Wmic.EXE
id: 49d9671b-0a0a-4c09-8280-d215bfd30662
related:
- id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
type: derived
status: test
description: |
Detects an attempt to terminate a process via "wmic" with the "call terminate" flag. Adversaries may
use wmic to terminate security products or other applications on the compromised host. This event is
triggered on on attempt and process creation can be either successful or unsuccessful.
references:
- https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
- https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-11
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'call'
- 'terminate'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_terminate_application/info.yml