Registry Manipulation via WMI Stdregprov for Evasion
Attackers are leveraging `wmic.exe` to modify the Windows registry through the WMI `StdRegProv` class, specifically using methods like `CreateKey` and `SetStringValue`, to evade detection and bypass traditional security monitoring focused on `reg.exe` or `regedit.exe`.
Attackers are increasingly utilizing wmic.exe in conjunction with the Windows Management Instrumentation (WMI) StdRegProv class to perform registry modifications, a technique observed to be employed by groups such as ShrinkLocker. This method allows threat actors to execute operations such as creating, deleting, or setting registry values (e.g., CreateKey, DeleteKey, SetStringValue) in an unconventional manner. By employing WMI for registry manipulation, attackers aim to bypass security monitoring tools that primarily focus on detecting changes made via standard utilities like reg.exe or regedit.exe. This technique serves as a defense evasion tactic, making it more challenging for defenders to identify and respond to malicious registry changes, which can be critical for achieving persistence or altering system configurations.
Impact
The primary impact of this technique is successful defense evasion, allowing attackers to establish persistence or modify system behavior without triggering traditional registry monitoring alerts. While the direct functional damage depends on the specific registry keys modified, the use of wmic.exe for such operations indicates an attacker's intent to operate stealthily within an environment. If this technique goes undetected, it can enable long-term compromise, installation of malware, or complete system takeover by allowing malicious entries to be written to critical registry locations. The specific scale of victimization or targeted sectors are not detailed in this technical brief, but the underlying capability affects any Windows environment where WMI is available.
Recommendation
- Deploy the Sigma rule "Registry Manipulation via WMI Stdregprov" to your SIEM and tune for your environment.
- Ensure Sysmon process creation logging is enabled to capture
wmic.exeexecutions with full command-line details. - Investigate any
wmic.exeprocess creations that includestdregprovand registry modification methods (CreateKey,SetStringValue, etc.) in their command line.
Detection coverage 1
Registry Manipulation via WMI Stdregprov
mediumDetects the usage of wmic.exe to modify Windows registry via the WMI StdRegProv class write methods (CreateKey, DeleteKey, SetStringValue, etc.), indicating potential defense evasion or persistence.
Detection queries are available on the platform. Get full rules →