Detection of Service Manipulation via WMIC.exe
This brief describes the detection of adversaries leveraging the native Windows Management Instrumentation Command-line (WMIC.exe) utility to start or stop services on compromised Windows systems, a common technique for persistence, privilege escalation, or lateral movement.
Adversaries frequently utilize Living-off-the-Land Binaries (LOLBINs) to execute malicious actions while blending in with legitimate system activity. WMIC.exe, a built-in Windows utility, is one such tool often abused for system administration tasks, including the manipulation of services. This brief focuses on detecting instances where attackers invoke wmic.exe with service call startservice or stopservice commands. Such activity typically occurs post-compromise, indicating that an attacker has gained a foothold and is attempting to establish persistence, elevate privileges, or facilitate lateral movement by disabling security services, enabling malicious services, or modifying system configurations. Detecting these specific command-line arguments is crucial for defenders to identify attacker activity that directly impacts system integrity and availability, often serving as an early indicator of more advanced stages of an attack chain leading to data exfiltration or ransomware deployment.
Impact
Successful manipulation of services using wmic.exe can lead to various detrimental outcomes. Attackers might disable security software, ensuring their malicious tools run unimpeded. They could stop critical legitimate services, causing denial-of-service or system instability, and replace them with malicious counterparts to maintain persistence and execute commands with elevated privileges. Such actions can facilitate lateral movement within a network, lead to data exfiltration, or prepare the ground for ransomware deployment, significantly impacting business operations, data confidentiality, and system integrity. While specific victim counts are not tied to this generic technique, any organization running Windows systems is susceptible to this abuse.
Recommendation
- Deploy the "Service Started/Stopped Via Wmic.EXE" Sigma rule provided in this brief to your SIEM solution.
- Ensure comprehensive
process_creationlogging is enabled on all Windows endpoints, ideally through Sysmon, to capture detailed command-line arguments and parent-child process relationships forwmic.exe. - Review and alert on any detected instances where
wmic.exeis used to manipulate critical services (e.g., security agents, domain controller services, core infrastructure applications) as this may indicate active compromise.
Detection coverage 1
Service Started/Stopped Via Wmic.EXE
mediumDetects usage of wmic to start or stop a service, often indicating post-compromise activity for persistence or privilege escalation.
Detection queries are available on the platform. Get full rules →