Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Tampering With Security Products Via WMIC

Detects uninstallation or termination of security products using the WMIC utility

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Sat Jan 30Updated Tue Feb 14847d5ff3-8a31-4737-a970-aeae8fe21765windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_cli_1:
        CommandLine|contains|all:
            - 'wmic'
            - 'product where '
            - 'call'
            - 'uninstall'
            - '/nointeractive'
    selection_cli_2:
        CommandLine|contains|all:
            - 'wmic'
            - 'caption like '
        CommandLine|contains:
            - 'call delete'
            - 'call terminate'
    selection_cli_3:
        CommandLine|contains|all:
            - 'process '
            - 'where '
            - 'delete'
    selection_product:
        CommandLine|contains:
            - '%carbon%'
            - '%cylance%'
            - '%endpoint%'
            - '%eset%'
            - '%malware%'
            - '%Sophos%'
            - '%symantec%'
            - 'Antivirus'
            - 'AVG '
            - 'Carbon Black'
            - 'CarbonBlack'
            - 'Cb Defense Sensor 64-bit'
            - 'Crowdstrike Sensor'
            - 'Cylance '
            - 'Dell Threat Defense'
            - 'DLP Endpoint'
            - 'Endpoint Detection'
            - 'Endpoint Protection'
            - 'Endpoint Security'
            - 'Endpoint Sensor'
            - 'ESET File Security'
            - 'LogRhythm System Monitor Service'
            - 'Malwarebytes'
            - 'McAfee Agent'
            - 'Microsoft Security Client'
            - 'Sophos Anti-Virus'
            - 'Sophos AutoUpdate'
            - 'Sophos Credential Store'
            - 'Sophos Management Console'
            - 'Sophos Management Database'
            - 'Sophos Management Server'
            - 'Sophos Remote Management System'
            - 'Sophos Update Manager'
            - 'Threat Protection'
            - 'VirusScan'
            - 'Webroot SecureAnywhere'
            - 'Windows Defender'
    condition: 1 of selection_cli_* and selection_product
False Positives

Legitimate administration

References
1
Resolving title…
twitter.com
2
Resolving title…
thedfirreport.com
3
Resolving title…
mandiant.com
4
Resolving title…
research.nccgroup.com
5
Resolving title…
trendmicro.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

Application Removed Via Wmic.EXE

Detects the removal or uninstallation of an application via "Wmic.EXE".

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
847d5ff3-8a31-4737-a970-aeae8fe21765
Status
test
Level
high
Type
Detection
Created
Sat Jan 30
Modified
Tue Feb 14
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub