Skip to content
Threat Feed
medium advisory

Process Creation Attempt via Wmic.EXE

Adversaries utilize the `wmic.exe` utility on Windows systems to create and execute processes, a technique detected by observing specific command-line arguments, indicating an attempt to run malicious code on compromised hosts.

This threat brief focuses on the technique where adversaries leverage the legitimate Windows Management Instrumentation Command-line (WMIC) utility, specifically wmic.exe, to create new processes on a compromised host. This method allows attackers to execute arbitrary commands or malicious binaries, often as a post-exploitation step to establish persistence, move laterally, or deliver payloads. The technique involves invoking wmic.exe with the process call create arguments, targeting the system's process management capabilities. Detection is focused on identifying these specific command-line patterns. This behavior, while potentially legitimate in rare administrative contexts, is frequently abused by threat actors to execute their tools and further their objectives. The activity is generally observed following initial access, enabling execution of next-stage implants.

Impact

Successful exploitation of this technique by adversaries can lead to the execution of unauthorized processes, potentially resulting in further compromise of the system. This could involve the deployment of malware (e.g., ransomware, infostealers), establishment of backdoors for persistent access, or execution of commands for data exfiltration or lateral movement. While the technique itself doesn't directly cause data loss, it is a critical step that enables attackers to achieve their final objectives, ranging from financial fraud to intellectual property theft or system disruption.

Recommendation

  • Deploy the provided Sigma rule "Detects Process Creation Attempt via Wmic.EXE" to your SIEM and tune it for your environment.
  • Ensure process_creation logging is enabled on all Windows endpoints to capture the necessary telemetry for the rule.
  • Review any alerts generated by the Sigma rule for wmic.exe with process call create to identify and investigate suspicious process execution attempts.

Detection coverage 1

Detects Process Creation Attempt via Wmic.EXE

medium

Detects the attempt to create a process via 'wmic' with the 'process call create' flag, which might indicate an attempt to execute a malicious process on the compromised host. Adversaries may use wmic to execute a process on the compromised host as part of their attack. This event is triggered on attempt and process creation can be either successful or unsuccessful.

sigma tactics: execution techniques: T1047 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →