Detection rules › Sigma
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1047 Windows Management Instrumentation |
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
| Discovery | T1012 Query Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\wmic.exe'
OriginalFileName: wmic.exe
Stage 2: all of selection_cli
CommandLine|contains: call
CommandLine|contains: stdregprov
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|