Skip to content
Threat Feed
high advisory

Suspicious Process Creation via WMIC.exe

A high-severity threat involves adversaries abusing `wmic.exe` to create new processes like `rundll32` or `powershell` on Windows systems, a technique observed in ransomware campaigns such as Ryuk, Hive, and Conti, indicating post-compromise execution.

This brief details the suspicious use of wmic.exe by threat actors to execute arbitrary commands, specifically via the "process call create" functionality. This method allows for the creation of new processes on local or remote Windows systems. Frequently employed by ransomware operators, including groups associated with Ryuk, Hive, and Conti, this technique serves as a post-compromise execution mechanism to launch malicious payloads, establish persistence, or facilitate lateral movement within a compromised network. Although no specific campaign identifiers are provided for the exploitation of this method, its use has been consistently observed in various attacks since at least late 2020. Adversaries leverage legitimate Windows tools like wmic.exe to evade detection, making it crucial for defenders to identify and monitor such activity to prevent the progression of attacks.

Impact

Successful exploitation of this technique by adversaries typically leads to the execution of malicious code, often culminating in severe outcomes such as ransomware deployment (e.g., data encryption by Ryuk, Hive, Conti), data exfiltration, system compromise, and significant business disruption. The use of wmic.exe as an execution vector indicates an attacker has already gained a foothold, and unchecked activity can lead to a full network compromise, rendering systems inoperable and causing substantial financial and reputational damage to affected organizations.

Recommendation

  • Deploy the Detect Suspicious Process Created Via Wmic.EXE Sigma rule to your SIEM and tune it for your environment.
  • Enable Sysmon process-creation logging to ensure the necessary telemetry for the Detect Suspicious Process Created Via Wmic.EXE rule is collected.
  • Regularly review wmic.exe process creation events for unusual child processes or command-line arguments, especially those containing rundll32, powershell, or bitsadmin.

Detection coverage 1

Detect Suspicious Process Created Via Wmic.EXE

high

Detects WMIC executing 'process call create' with suspicious child processes or command-line arguments like 'rundll32', 'bitsadmin', 'powershell', or common temporary paths.

sigma tactics: execution techniques: T1047 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →