← Back to Explore
sigmahighHunting
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Detection Query
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
selection_cli:
CommandLine|contains: /Namespace:\\\\root\\Microsoft\\Windows\\Defender
condition: all of selection_*
Author
frack113
Created
2022-12-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
Tags
attack.defense-evasionattack.executionattack.t1047attack.t1562
Raw Content
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.defense-evasion
- attack.execution
- attack.t1047
- attack.t1562
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high