title: Suspicious WMI Execution
author: Michael Haag, Florian Roth, juju4, oscd.community
date: 2019/01/16
description: Detects WMI executing suspicious commands
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\wmic.exe'
  SELECTION_3:
    CommandLine: '*process*'
  SELECTION_4:
    CommandLine: '*call*'
  SELECTION_5:
    CommandLine: '*create *'
  SELECTION_6:
    CommandLine: '* path *'
  SELECTION_7:
    CommandLine:
    - '*AntiVirus*'
    - '*Firewall*'
  SELECTION_8:
    CommandLine: '*Product*'
  SELECTION_9:
    CommandLine: '* get *'
  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and SELECTION_5)
    or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9)))
falsepositives:
- If using Splunk, we recommend | stats count by Computer,CommandLine following for
  easy hunting by Computer/CommandLine
fields:
- CommandLine
- ParentCommandLine
id: 526be59f-a573-4eea-b5f7-f0973207634d
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2020/11/28
references:
- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
status: experimental
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
ruletype: SIGMA