Application Removal Via Wmic.EXE
Adversaries are leveraging the Windows Management Instrumentation Command-line (WMIC) utility, `wmic.exe`, to uninstall legitimate or security applications as a method of defense evasion and system impact within Windows environments.
This threat brief highlights the use of wmic.exe for unauthorized application removal, a common technique employed by adversaries in Windows environments. wmic.exe is a legitimate Windows utility for performing administrative tasks, which makes its malicious use harder to detect without specific behavioral analytics. Threat actors often leverage this command-line tool to uninstall security software, endpoint detection and response (EDR) agents, or other critical applications to evade detection, disable security controls, or prepare systems for further compromise, such as ransomware deployment or data exfiltration. The technique enables persistence and facilitates the execution of subsequent attack stages by removing obstacles. This activity is broadly observed across various malicious campaigns and is not attributed to a single threat actor or campaign, rather it's a common post-exploitation action.
Attack Chain
(Note: The provided source describes a specific technique for defense evasion, but does not detail a full attack chain from initial access to impact. The following describes where this specific technique typically fits within a broader attack lifecycle.)
- Initial Access: An adversary gains initial access to a system, typically through phishing, exploiting a vulnerable service, or using stolen credentials.
- Execution: The adversary executes malicious code, often a payload like a remote access Trojan (RAT) or a credential stealer.
- Defense Evasion (Wmic.exe Uninstallation): To hinder detection and response, the adversary uses
wmic.exeto uninstall security software (e.g.,wmic product where "name like '%Antivirus%'" call uninstall). - Credential Access: With security software disabled, the adversary may proceed to harvest credentials from the compromised system or network.
- Lateral Movement: Using acquired credentials, the adversary moves to other systems within the network.
- Impact: The adversary achieves their final objective, which could include data exfiltration, encrypting systems for ransomware, or disrupting business operations.
Impact
The unauthorized removal of applications, particularly security software, can have severe consequences for an organization. If an attacker successfully uses wmic.exe to uninstall critical applications, it can lead to a significant degradation of endpoint security posture, leaving systems vulnerable to further exploitation. This directly enables defense evasion, allowing threat actors to operate undetected for longer periods, escalate privileges, and proceed with their objectives such as data theft, ransomware deployment, or complete system compromise. The impact can range from temporary disruption to substantial financial loss due to data breaches, operational downtime, and recovery costs. This technique is observed across various sectors due to its broad applicability.
Recommendation
- Deploy the provided Sigma rule "Application Removed Via Wmic.EXE" to your SIEM/EDR to detect suspicious
wmic.exeuninstallation attempts. - Ensure process creation logging, especially with command-line arguments, is enabled for all Windows endpoints, as this is critical telemetry for the provided Sigma rule.
- Investigate any alerts from the "Application Removed Via Wmic.EXE" rule immediately, as
wmic.exeuninstall commands are rarely executed legitimately in enterprise environments by end-users.
Detection coverage 1
Application Removed Via Wmic.EXE
mediumDetects the removal or uninstallation of an application via the 'Wmic.EXE' utility, which is often used by adversaries for defense evasion by disabling security products or other software.
Detection queries are available on the platform. Get full rules →