← Back to Explore
sigmahighHunting
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
Detection Query
selection_cli_1:
CommandLine|contains|all:
- wmic
- "product where "
- call
- uninstall
- /nointeractive
selection_cli_2:
CommandLine|contains|all:
- wmic
- "caption like "
CommandLine|contains:
- call delete
- call terminate
selection_cli_3:
CommandLine|contains|all:
- "process "
- "where "
- delete
selection_product:
CommandLine|contains:
- "%carbon%"
- "%cylance%"
- "%endpoint%"
- "%eset%"
- "%malware%"
- "%Sophos%"
- "%symantec%"
- Antivirus
- "AVG "
- Carbon Black
- CarbonBlack
- Cb Defense Sensor 64-bit
- Crowdstrike Sensor
- "Cylance "
- Dell Threat Defense
- DLP Endpoint
- Endpoint Detection
- Endpoint Protection
- Endpoint Security
- Endpoint Sensor
- ESET File Security
- LogRhythm System Monitor Service
- Malwarebytes
- McAfee Agent
- Microsoft Security Client
- Sophos Anti-Virus
- Sophos AutoUpdate
- Sophos Credential Store
- Sophos Management Console
- Sophos Management Database
- Sophos Management Server
- Sophos Remote Management System
- Sophos Update Manager
- Threat Protection
- VirusScan
- Webroot SecureAnywhere
- Windows Defender
condition: 1 of selection_cli_* and selection_product
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2021-01-30
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Potential Tampering With Security Products Via WMIC
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
related:
- id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
type: derived
status: test
description: Detects uninstallation or termination of security products using the WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-01-30
modified: 2023-02-14
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'wmic'
- 'product where '
- 'call'
- 'uninstall'
- '/nointeractive'
selection_cli_2:
CommandLine|contains|all:
- 'wmic'
- 'caption like '
CommandLine|contains:
- 'call delete'
- 'call terminate'
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- 'delete'
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- 'Antivirus'
- 'AVG '
- 'Carbon Black'
- 'CarbonBlack'
- 'Cb Defense Sensor 64-bit'
- 'Crowdstrike Sensor'
- 'Cylance '
- 'Dell Threat Defense'
- 'DLP Endpoint'
- 'Endpoint Detection'
- 'Endpoint Protection'
- 'Endpoint Security'
- 'Endpoint Sensor'
- 'ESET File Security'
- 'LogRhythm System Monitor Service'
- 'Malwarebytes'
- 'McAfee Agent'
- 'Microsoft Security Client'
- 'Sophos Anti-Virus'
- 'Sophos AutoUpdate'
- 'Sophos Credential Store'
- 'Sophos Management Console'
- 'Sophos Management Database'
- 'Sophos Management Server'
- 'Sophos Remote Management System'
- 'Sophos Update Manager'
- 'Threat Protection'
- 'VirusScan'
- 'Webroot SecureAnywhere'
- 'Windows Defender'
condition: 1 of selection_cli_* and selection_product
falsepositives:
- Legitimate administration
level: high