Skip to content
Threat Feed
medium advisory

Application Termination Attempt via Wmic.EXE

Adversaries leverage the native Windows Management Instrumentation Command-line (WMIC) utility to terminate applications, specifically security products, as a defense evasion technique.

This brief focuses on the use of the wmic.exe utility by adversaries to terminate running processes on a compromised Windows host. This technique, often employed for defense evasion, allows attackers to disable security software, monitoring agents, or other critical applications that might hinder their malicious activities. While the provided Sigma rule specifically targets the call terminate functionality of wmic, this method has been observed in various campaigns, including ransomware operations like LockFile, which leverage it to ensure unimpeded execution of their payload. The detection aims to alert defenders to suspicious attempts to shut down applications, regardless of the success of the termination, providing an early warning sign of potential hostile intent.

Impact

The successful termination of security applications can severely degrade an organization's defense posture, allowing malware to execute without detection, establish persistence, or exfiltrate data. If monitoring tools are disabled, attackers can operate stealthily, prolonging their presence in the environment and increasing the scope of damage. In the context of ransomware, disabling endpoint protection can lead to widespread encryption of critical systems and data, resulting in significant operational disruption, data loss, and financial demands for recovery. The impact can extend to data integrity, system availability, and compliance with regulatory requirements.

Recommendation

  • Deploy the Application Termination Attempt via Wmic.EXE Sigma rule to your SIEM for immediate detection of wmic.exe attempting to terminate processes.
  • Ensure Sysmon process creation logging is enabled on all Windows endpoints to capture wmic.exe command-line arguments, which are crucial for this detection rule.
  • Investigate all alerts generated by the Application Termination Attempt via Wmic.EXE rule to differentiate between legitimate administrative actions and malicious activity.
  • Review endpoint security configurations to ensure robust tamper protection mechanisms are in place that prevent unauthorized termination of security products, even by administrative tools.

Detection coverage 1

Application Termination Attempt via Wmic.EXE

medium

Detects an attempt to terminate a process via 'wmic.exe' using the 'call terminate' flags, a technique often used by adversaries to disable security products.

sigma tactics: defense_evasion, execution techniques: T1047 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →