{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/application-uninstall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["IcedID"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","application-uninstall","wmic"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on the abuse of Windows Management Instrumentation Command-line (WMIC) to uninstall applications in a non-interactive manner. This technique is often employed by threat actors, including IcedID, to disable or remove security software, such as antivirus solutions, in order to evade detection and establish a stronger foothold within a compromised environment. This activity is often seen post-compromise, after initial access has been established, and is used to further the attacker\u0026rsquo;s objectives. The use of the \u003ccode\u003e/nointeractive\u003c/code\u003e flag is a key indicator of this malicious activity. This behavior is significant because it allows attackers to disable security defenses, facilitating further compromise and persistence within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through a phishing campaign or other exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious payload on the victim machine.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence and elevates privileges.\u003c/li\u003e\n\u003cli\u003eWMIC is invoked via \u003ccode\u003ewmic.exe\u003c/code\u003e with parameters to enumerate installed products.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eproduct\u003c/code\u003e argument with a \u003ccode\u003ewhere name\u003c/code\u003e clause to identify target applications.\u003c/li\u003e\n\u003cli\u003eWMIC is then used with the \u003ccode\u003ecall uninstall\u003c/code\u003e command to remove the target application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/nointeractive\u003c/code\u003e flag is used to suppress prompts and execute the uninstall silently.\u003c/li\u003e\n\u003cli\u003eSecurity software is disabled, allowing for further malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack results in the removal of security software, such as antivirus or endpoint detection and response (EDR) agents, which significantly reduces the victim\u0026rsquo;s ability to detect and respond to the compromise. As seen in the IcedID campaign, this can lead to rapid escalation, such as ransomware deployment within 24 hours. This can affect any Windows environment where WMIC is accessible, potentially impacting organizations of any size.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious WMIC Product Uninstall via CommandLine\u003c/code\u003e to detect non-interactive uninstallation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any process that spawns \u003ccode\u003ewmic.exe\u003c/code\u003e with arguments containing \u003ccode\u003eproduct\u003c/code\u003e, \u003ccode\u003ewhere name\u003c/code\u003e, \u003ccode\u003ecall uninstall\u003c/code\u003e, and \u003ccode\u003e/nointeractive\u003c/code\u003e, as highlighted in the rule description.\u003c/li\u003e\n\u003cli\u003eEnsure endpoint detection and response (EDR) agents are configured to log process command-line arguments, which is required for the detection to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security policies to restrict the use of WMIC where possible.\u003c/li\u003e\n\u003cli\u003eMonitor parent processes of \u003ccode\u003ewmic.exe\u003c/code\u003e to identify potential malicious origins.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of \u003ccode\u003ewmic.exe\u003c/code\u003e for application uninstallation, based on parent process and command line, to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-uninstallation/","summary":"This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.","title":"Suspicious WMIC Application Uninstallation","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-uninstallation/"}],"language":"en","title":"CraftedSignal Threat Feed — Application-Uninstall","version":"https://jsonfeed.org/version/1.1"}