Application Termination Attempt via Wmic.EXE
Adversaries leverage the native Windows Management Instrumentation Command-line (WMIC) utility to terminate applications, specifically security products, as a defense evasion technique.
This brief focuses on the use of the wmic.exe utility by adversaries to terminate running processes on a compromised Windows host. This technique, often employed for defense evasion, allows attackers to disable security software, monitoring agents, or other critical applications that might hinder their malicious activities. While the provided Sigma rule specifically targets the call terminate functionality of wmic, this method has been observed in various campaigns, including ransomware operations like LockFile, which leverage it to ensure unimpeded execution of their payload. The detection aims to alert defenders to suspicious attempts to shut down applications, regardless of the success of the termination, providing an early warning sign of potential hostile intent.
Impact
The successful termination of security applications can severely degrade an organization's defense posture, allowing malware to execute without detection, establish persistence, or exfiltrate data. If monitoring tools are disabled, attackers can operate stealthily, prolonging their presence in the environment and increasing the scope of damage. In the context of ransomware, disabling endpoint protection can lead to widespread encryption of critical systems and data, resulting in significant operational disruption, data loss, and financial demands for recovery. The impact can extend to data integrity, system availability, and compliance with regulatory requirements.
Recommendation
- Deploy the
Application Termination Attempt via Wmic.EXESigma rule to your SIEM for immediate detection ofwmic.exeattempting to terminate processes. - Ensure Sysmon process creation logging is enabled on all Windows endpoints to capture
wmic.execommand-line arguments, which are crucial for this detection rule. - Investigate all alerts generated by the
Application Termination Attempt via Wmic.EXErule to differentiate between legitimate administrative actions and malicious activity. - Review endpoint security configurations to ensure robust tamper protection mechanisms are in place that prevent unauthorized termination of security products, even by administrative tools.
Detection coverage 1
Application Termination Attempt via Wmic.EXE
mediumDetects an attempt to terminate a process via 'wmic.exe' using the 'call terminate' flags, a technique often used by adversaries to disable security products.
Detection queries are available on the platform. Get full rules →