https://feed.craftedsignal.io/tags/wmic/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-wmic-uninstallation/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wmic-uninstallation/This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.This detection focuses on the abuse of Windows Management Instrumentation Command-line (WMIC) to uninstall applications in a non-interactive manner. This technique is often employed by threat actors, including IcedID, to disable or remove security software, such as antivirus solutions, in order to evade detection and establish a stronger foothold within a compromised environment. This activity is often seen post-compromise, after initial access has been established, and is used to further the attacker’s objectives. The use of the /nointeractive flag is a key indicator of this malicious activity. This behavior is significant because it allows attackers to disable security defenses, facilitating further compromise and persistence within the environment.

Attack Chain

1. Initial access is gained through a phishing campaign or other exploit.
2. The attacker executes a malicious payload on the victim machine.
3. The payload establishes persistence and elevates privileges.
4. WMIC is invoked via wmic.exe with parameters to enumerate installed products.
5. The attacker uses the product argument with a where name clause to identify target applications.
6. WMIC is then used with the call uninstall command to remove the target application.
7. The /nointeractive flag is used to suppress prompts and execute the uninstall silently.
8. Security software is disabled, allowing for further malicious activity.

Impact

Successful execution of this attack results in the removal of security software, such as antivirus or endpoint detection and response (EDR) agents, which significantly reduces the victim’s ability to detect and respond to the compromise. As seen in the IcedID campaign, this can lead to rapid escalation, such as ransomware deployment within 24 hours. This can affect any Windows environment where WMIC is accessible, potentially impacting organizations of any size.

Recommendation

• Deploy the Sigma rule Suspicious WMIC Product Uninstall via CommandLine to detect non-interactive uninstallation attempts.
• Investigate any process that spawns wmic.exe with arguments containing product, where name, call uninstall, and /nointeractive, as highlighted in the rule description.
• Ensure endpoint detection and response (EDR) agents are configured to log process command-line arguments, which is required for the detection to function correctly.
• Review and harden endpoint security policies to restrict the use of WMIC where possible.
• Monitor parent processes of wmic.exe to identify potential malicious origins.
• Whitelist legitimate uses of wmic.exe for application uninstallation, based on parent process and command line, to reduce false positives.

]]>highthreatdefense-evasionapplication-uninstallwmichttps://feed.craftedsignal.io/briefs/2024-01-03-process-kill-file-path/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-process-kill-file-path/This analytic detects the use of `wmic.exe` with the `delete` command to terminate a process by specifying its executable path, often used to disable security tools or critical processes during the setup of malicious activities like cryptocurrency mining.This detection focuses on identifying the use of the Windows Management Instrumentation Command-line (WMIC) utility to terminate processes by referencing their file paths. Specifically, it looks for instances where wmic.exe is used with the delete command targeting an executable path. This technique is often employed by attackers to disable security software, terminate competing processes (such as other miners), or halt critical system services, as seen in cases involving cryptocurrency miners. The activity is often associated with the initial stages of setting up malicious operations on an endpoint, giving defenders an opportunity to disrupt attacks early in the kill chain. The source material was released in 2026, but the underlying technique has been used since at least 2020.

Attack Chain

1. An attacker gains initial access to the system, often through methods not directly covered by this detection (e.g., exploiting a vulnerability or using compromised credentials).
2. The attacker executes wmic.exe with specific parameters to target a running process.
3. The command includes the process argument to specify the process to be targeted, the executablepath argument to identify the process by its file path, and the delete command to terminate the process.
4. wmic.exe attempts to locate the process based on the provided file path.
5. If the process is found, wmic.exe sends a termination signal to the process.
6. The targeted process is terminated.
7. The attacker repeats this process to disable other security tools or competing processes.
8. The attacker proceeds with their primary objective, such as deploying and executing a cryptocurrency miner or establishing persistence.

Impact

Successful execution of this technique can lead to the disabling of security software, allowing malware to operate unimpeded. It can also result in the termination of critical system processes, leading to system instability or data loss. Observed cases include the deployment of XMRig cryptocurrency miners following the termination of security tools. If left unchecked, this activity can significantly increase the attacker’s foothold within the compromised environment, facilitating further malicious actions.

Recommendation

• Deploy the Sigma rule Detect Process Termination via WMIC File Path to your SIEM and tune it for your environment to identify malicious process termination attempts.
• Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security (4688) to provide the necessary data for the Sigma rules.
• Investigate any identified instances of wmic.exe being used with the delete command, especially when targeting executable paths of known security products or critical system processes.
• Implement the process_kill_base_on_file_path_filter macro referenced in the search query to reduce noise.

]]>highadvisoryprocess-terminationwmiccryptocurrency-miningendpoint