← Back to Explore
sigmamediumHunting
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
Detection Query
selection_img:
- Image|endswith: \WMIC.exe
- OriginalFileName: wmic.exe
selection_cli:
CommandLine|contains|all:
- call
- uninstall
condition: all of selection_*
Author
frack113
Created
2022-01-28
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.t1047
Raw Content
title: Application Removed Via Wmic.EXE
id: b53317a0-8acf-4fd1-8de8-a5401e776b96
related:
- id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
type: derived
status: test
description: Detects the removal or uninstallation of an application via "Wmic.EXE".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
author: frack113
date: 2022-01-28
modified: 2024-07-02
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- 'call'
- 'uninstall'
condition: all of selection_*
falsepositives:
- Unknown
level: medium