Description
This detection identifies suspicious process creation using Windows Management Instrumentation Command-line (WMIC). Attackers often abuse WMIC to execute commands and payloads while evading detection. WMIC provides a command-line interface to Windows Management Instrumentation (WMI) which can be used to manage systems locally or remotely. This detection focuses on specific WMIC command patterns that are commonly associated with malicious activity, such as using the 'process call create' method to spawn new processes.
Detection Details
- Tool
- Sigma
- Category
- Sigma
- Severity
- Medium
- Status
- Active
Metadata
- ID
- SIGMA-001
- Author
- Khalid Al Harthi
- Last Updated
- 2023-10-20
MITRE ATT&CK Techniques
False Positives
- Administrative scripts using WMIC for legitimate purposes
- Software deployment systems
- Monitoring agents
Tool-Specific Rule Format
title: Suspicious Process Creation via WMIC
id: SIGMA-001
status: active
description: Detects suspicious process creation via Windows Management Instrumentation Command-line (WMIC), a technique used by attackers for execution.
author: Khalid Al Harthi
date: 2023-10-20
modified: 2023-10-20
tags:
- attack.t1047
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'wmic'
- 'process'
- 'call'
- 'create'
condition: selection
falsepositives:
- Administrative scripts using WMIC for legitimate purposes
- Software deployment systems
- Monitoring agents
level: mediumImplementation Notes
This Sigma rule can be converted to various SIEM and EDR platforms using the Sigma converter. The rule detects specific patterns that may indicate malicious activity. Consider adding additional context or filters to reduce false positives in environments where these patterns might appear in legitimate use cases.
Alert Details
View Detection RuleWhy This Alert Fired
This Sigma rule detected detects suspicious process creation via windows management instrumentation command-line (wmic), a technique used by attackers for execution.
Investigation Steps
- Identify which log source triggered the Sigma rule
- Review the raw log data that matched the detection criteria
- Look for unusual patterns or deviations from normal behavior
- Check if the activity is consistent with the user's role and typical activities
- Examine the context surrounding the matched event
- Check for related events using the same techniques or tactics
- Verify if the activity is consistent with normal operations
True Positive Indicators
- WMIC used to execute suspicious commands or scripts
- Execution chain involving other suspicious processes
- Unusual command-line parameters or execution context
- Activity from user accounts that don't typically use WMIC
False Positive Indicators
- Administrative scripts using WMIC for legitimate purposes
- Software deployment systems
- Monitoring agents
Recommended Response Actions
This detection requires investigation to determine if action is needed.
- Investigate the activity thoroughly before taking action
- If confirmed malicious, isolate affected systems
- Reset credentials if account compromise is suspected
- Monitor for additional related activity
- Document findings for future reference
Documentation & Evidence Collection
- Document all investigation steps and findings in the case management system
- Capture screenshots of relevant events and timelines
- Export raw logs and preserve them as evidence
- Document any systems accessed and actions taken during investigation
- Record all remediation actions if a true positive is confirmed