{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cryptocurrency-mining/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-termination","wmic","cryptocurrency-mining","endpoint"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying the use of the Windows Management Instrumentation Command-line (WMIC) utility to terminate processes by referencing their file paths. Specifically, it looks for instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used with the \u003ccode\u003edelete\u003c/code\u003e command targeting an executable path. This technique is often employed by attackers to disable security software, terminate competing processes (such as other miners), or halt critical system services, as seen in cases involving cryptocurrency miners. The activity is often associated with the initial stages of setting up malicious operations on an endpoint, giving defenders an opportunity to disrupt attacks early in the kill chain. The source material was released in 2026, but the underlying technique has been used since at least 2020.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through methods not directly covered by this detection (e.g., exploiting a vulnerability or using compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific parameters to target a running process.\u003c/li\u003e\n\u003cli\u003eThe command includes the \u003ccode\u003eprocess\u003c/code\u003e argument to specify the process to be targeted, the \u003ccode\u003eexecutablepath\u003c/code\u003e argument to identify the process by its file path, and the \u003ccode\u003edelete\u003c/code\u003e command to terminate the process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmic.exe\u003c/code\u003e attempts to locate the process based on the provided file path.\u003c/li\u003e\n\u003cli\u003eIf the process is found, \u003ccode\u003ewmic.exe\u003c/code\u003e sends a termination signal to the process.\u003c/li\u003e\n\u003cli\u003eThe targeted process is terminated.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to disable other security tools or competing processes.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with their primary objective, such as deploying and executing a cryptocurrency miner or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this technique can lead to the disabling of security software, allowing malware to operate unimpeded. It can also result in the termination of critical system processes, leading to system instability or data loss. Observed cases include the deployment of XMRig cryptocurrency miners following the termination of security tools. If left unchecked, this activity can significantly increase the attacker\u0026rsquo;s foothold within the compromised environment, facilitating further malicious actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Termination via WMIC File Path\u003c/code\u003e to your SIEM and tune it for your environment to identify malicious process termination attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (4688) to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003ewmic.exe\u003c/code\u003e being used with the \u003ccode\u003edelete\u003c/code\u003e command, especially when targeting executable paths of known security products or critical system processes.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eprocess_kill_base_on_file_path_filter\u003c/code\u003e macro referenced in the search query to reduce noise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-process-kill-file-path/","summary":"This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.","title":"Detection of Process Termination via File Path Using WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-03-process-kill-file-path/"}],"language":"en","title":"CraftedSignal Threat Feed — Cryptocurrency-Mining","version":"https://jsonfeed.org/version/1.1"}