EXPLORE
← Back to Explore
sigmamediumHunting

Registry Manipulation via WMI Stdregprov

Detects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.). This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.

MITRE ATT&CK

executionpersistence

Detection Query

selection_img:
  - Image|endswith: \wmic.exe
  - OriginalFileName: wmic.exe
selection_cli:
  CommandLine|contains|all:
    - stdregprov
    - call
  CommandLine|contains:
    - CreateKey
    - DeleteKey
    - DeleteValue
    - SetBinaryValue
    - SetDWORDValue
    - SetExpandedStringValue
    - SetMultiStringValue
    - SetQWORDValue
    - SetSecurityDescriptor
    - SetStringValue
condition: all of selection_*

Author

Daniel Koifman (KoifSec)

Created

2025-07-30

Data Sources

windowsProcess Creation Events

Platforms

windows

Tags

attack.executionattack.t1047attack.persistenceattack.defense-impairmentattack.t1112
Raw Content
title: Registry Manipulation via WMI Stdregprov
id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
status: experimental
related:
    - id: a0e417e2-2fa1-40da-b6d2-e094cd5e1191 # Registry Enumeration via WMI Stdregprov
      type: similar
description: |
    Detects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.).
    This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
    Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
references:
    - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
    - https://trustedsec.com/blog/wmi-for-script-kiddies
    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov
author: Daniel Koifman (KoifSec)
date: 2025-07-30
modified: 2026-06-19
tags:
    - attack.execution
    - attack.t1047
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'stdregprov'
            - 'call'
        CommandLine|contains:
            - 'CreateKey'
            - 'DeleteKey'
            - 'DeleteValue'
            - 'SetBinaryValue'
            - 'SetDWORDValue'
            - 'SetExpandedStringValue'
            - 'SetMultiStringValue'
            - 'SetQWORDValue'
            - 'SetSecurityDescriptor'
            - 'SetStringValue'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification/info.yml