detection.wiki

Detection rules › Sigma

Potential Tampering With Security Products Via WMIC

Severity
high
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects uninstallation or termination of security products using the WMIC utility

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_cli_1

CommandLine|contains: '/nointeractive'
CommandLine|contains: call
CommandLine|contains: 'product where '
CommandLine|contains: uninstall
CommandLine|contains: wmic

Stage 2: 1 of selection_cli_2

or:
CommandLine|contains: 'call delete'
CommandLine|contains: 'call terminate'
CommandLine|contains: 'caption like '
CommandLine|contains: wmic

Stage 3: 1 of selection_cli_3

CommandLine|contains: delete
CommandLine|contains: 'process '
CommandLine|contains: 'where '

Stage 4: selection_product

or:
CommandLine|contains: '%Sophos%'
CommandLine|contains: '%carbon%'
CommandLine|contains: '%cylance%'
CommandLine|contains: '%endpoint%'
CommandLine|contains: '%eset%'
CommandLine|contains: '%malware%'
CommandLine|contains: '%symantec%'
CommandLine|contains: 'AVG '
CommandLine|contains: Antivirus
CommandLine|contains: 'Carbon Black'
CommandLine|contains: CarbonBlack
CommandLine|contains: 'Cb Defense Sensor 64-bit'
CommandLine|contains: 'Crowdstrike Sensor'
CommandLine|contains: 'Cylance '
CommandLine|contains: 'DLP Endpoint'
CommandLine|contains: 'Dell Threat Defense'
CommandLine|contains: 'ESET File Security'
CommandLine|contains: 'Endpoint Detection'
CommandLine|contains: 'Endpoint Protection'
CommandLine|contains: 'Endpoint Security'
CommandLine|contains: 'Endpoint Sensor'
CommandLine|contains: 'LogRhythm System Monitor Service'
CommandLine|contains: Malwarebytes
CommandLine|contains: 'McAfee Agent'
CommandLine|contains: 'Microsoft Security Client'
CommandLine|contains: 'Sophos Anti-Virus'
CommandLine|contains: 'Sophos AutoUpdate'
CommandLine|contains: 'Sophos Credential Store'
CommandLine|contains: 'Sophos Management Console'
CommandLine|contains: 'Sophos Management Database'
CommandLine|contains: 'Sophos Management Server'
CommandLine|contains: 'Sophos Remote Management System'
CommandLine|contains: 'Sophos Update Manager'
CommandLine|contains: 'Threat Protection'
CommandLine|contains: VirusScan
CommandLine|contains: 'Webroot SecureAnywhere'
CommandLine|contains: 'Windows Defender'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • %Sophos%
  • %carbon%
  • %cylance%
  • %endpoint%
  • %eset%
  • %malware%
  • %symantec%
  • /nointeractive
  • AVG
  • Antivirus corpus 2 (sigma 2)
  • Carbon Black
  • CarbonBlack
  • Cb Defense Sensor 64-bit
  • Crowdstrike Sensor
  • Cylance
  • DLP Endpoint
  • Dell Threat Defense
  • ESET File Security
  • Endpoint Detection
  • Endpoint Protection
  • Endpoint Security
  • Endpoint Sensor
  • LogRhythm System Monitor Service
  • Malwarebytes
  • McAfee Agent
  • Microsoft Security Client
  • Sophos Anti-Virus
  • Sophos AutoUpdate
  • Sophos Credential Store
  • Sophos Management Console
  • Sophos Management Database
  • Sophos Management Server
  • Sophos Remote Management System
  • Sophos Update Manager
  • Threat Protection
  • VirusScan
  • Webroot SecureAnywhere
  • Windows Defender
  • call corpus 7 (sigma 7)
  • call delete
  • call terminate
  • caption like
  • delete corpus 7 (sigma 7)
  • process corpus 2 (sigma 2)
  • product where
  • uninstall corpus 2 (sigma 2)
  • where
  • wmic