{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wmic/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["IcedID"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","application-uninstall","wmic"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on the abuse of Windows Management Instrumentation Command-line (WMIC) to uninstall applications in a non-interactive manner. This technique is often employed by threat actors, including IcedID, to disable or remove security software, such as antivirus solutions, in order to evade detection and establish a stronger foothold within a compromised environment. This activity is often seen post-compromise, after initial access has been established, and is used to further the attacker\u0026rsquo;s objectives. The use of the \u003ccode\u003e/nointeractive\u003c/code\u003e flag is a key indicator of this malicious activity. This behavior is significant because it allows attackers to disable security defenses, facilitating further compromise and persistence within the environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through a phishing campaign or other exploit.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious payload on the victim machine.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence and elevates privileges.\u003c/li\u003e\n\u003cli\u003eWMIC is invoked via \u003ccode\u003ewmic.exe\u003c/code\u003e with parameters to enumerate installed products.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eproduct\u003c/code\u003e argument with a \u003ccode\u003ewhere name\u003c/code\u003e clause to identify target applications.\u003c/li\u003e\n\u003cli\u003eWMIC is then used with the \u003ccode\u003ecall uninstall\u003c/code\u003e command to remove the target application.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/nointeractive\u003c/code\u003e flag is used to suppress prompts and execute the uninstall silently.\u003c/li\u003e\n\u003cli\u003eSecurity software is disabled, allowing for further malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack results in the removal of security software, such as antivirus or endpoint detection and response (EDR) agents, which significantly reduces the victim\u0026rsquo;s ability to detect and respond to the compromise. As seen in the IcedID campaign, this can lead to rapid escalation, such as ransomware deployment within 24 hours. This can affect any Windows environment where WMIC is accessible, potentially impacting organizations of any size.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious WMIC Product Uninstall via CommandLine\u003c/code\u003e to detect non-interactive uninstallation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any process that spawns \u003ccode\u003ewmic.exe\u003c/code\u003e with arguments containing \u003ccode\u003eproduct\u003c/code\u003e, \u003ccode\u003ewhere name\u003c/code\u003e, \u003ccode\u003ecall uninstall\u003c/code\u003e, and \u003ccode\u003e/nointeractive\u003c/code\u003e, as highlighted in the rule description.\u003c/li\u003e\n\u003cli\u003eEnsure endpoint detection and response (EDR) agents are configured to log process command-line arguments, which is required for the detection to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and harden endpoint security policies to restrict the use of WMIC where possible.\u003c/li\u003e\n\u003cli\u003eMonitor parent processes of \u003ccode\u003ewmic.exe\u003c/code\u003e to identify potential malicious origins.\u003c/li\u003e\n\u003cli\u003eWhitelist legitimate uses of \u003ccode\u003ewmic.exe\u003c/code\u003e for application uninstallation, based on parent process and command line, to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-uninstallation/","summary":"This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.","title":"Suspicious WMIC Application Uninstallation","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-uninstallation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["process-termination","wmic","cryptocurrency-mining","endpoint"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying the use of the Windows Management Instrumentation Command-line (WMIC) utility to terminate processes by referencing their file paths. Specifically, it looks for instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used with the \u003ccode\u003edelete\u003c/code\u003e command targeting an executable path. This technique is often employed by attackers to disable security software, terminate competing processes (such as other miners), or halt critical system services, as seen in cases involving cryptocurrency miners. The activity is often associated with the initial stages of setting up malicious operations on an endpoint, giving defenders an opportunity to disrupt attacks early in the kill chain. The source material was released in 2026, but the underlying technique has been used since at least 2020.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, often through methods not directly covered by this detection (e.g., exploiting a vulnerability or using compromised credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific parameters to target a running process.\u003c/li\u003e\n\u003cli\u003eThe command includes the \u003ccode\u003eprocess\u003c/code\u003e argument to specify the process to be targeted, the \u003ccode\u003eexecutablepath\u003c/code\u003e argument to identify the process by its file path, and the \u003ccode\u003edelete\u003c/code\u003e command to terminate the process.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmic.exe\u003c/code\u003e attempts to locate the process based on the provided file path.\u003c/li\u003e\n\u003cli\u003eIf the process is found, \u003ccode\u003ewmic.exe\u003c/code\u003e sends a termination signal to the process.\u003c/li\u003e\n\u003cli\u003eThe targeted process is terminated.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to disable other security tools or competing processes.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with their primary objective, such as deploying and executing a cryptocurrency miner or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this technique can lead to the disabling of security software, allowing malware to operate unimpeded. It can also result in the termination of critical system processes, leading to system instability or data loss. Observed cases include the deployment of XMRig cryptocurrency miners following the termination of security tools. If left unchecked, this activity can significantly increase the attacker\u0026rsquo;s foothold within the compromised environment, facilitating further malicious actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Termination via WMIC File Path\u003c/code\u003e to your SIEM and tune it for your environment to identify malicious process termination attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (4688) to provide the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003ewmic.exe\u003c/code\u003e being used with the \u003ccode\u003edelete\u003c/code\u003e command, especially when targeting executable paths of known security products or critical system processes.\u003c/li\u003e\n\u003cli\u003eImplement the \u003ccode\u003eprocess_kill_base_on_file_path_filter\u003c/code\u003e macro referenced in the search query to reduce noise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-process-kill-file-path/","summary":"This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.","title":"Detection of Process Termination via File Path Using WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-03-process-kill-file-path/"}],"language":"en","title":"CraftedSignal Threat Feed — Wmic","version":"https://jsonfeed.org/version/1.1"}