Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

WindowsProcess Creation

TA0040 · ImpactT1490 · Inhibit System Recovery

François Hubaut+1Mon Dec 13windows

Detectionmediumtest

Windows Backup Deleted Via Wbadmin.EXE

Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

WindowsProcess Creation

TA0040 · ImpactT1490 · Inhibit System Recovery

François Hubaut+1Mon Dec 13windows

Detectionlowtest

Suspicious Where Execution

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

WindowsProcess Creation

TA0007 · DiscoveryT1217 · Browser Information Discovery

François Hubaut+1Mon Dec 13windows

Detectionmediumtest

Remote Code Execute via Winrm.vbs

Detects an attempt to execute code or create service on remote host via winrm.vbs.

WindowsProcess Creation

TA0005 · Defense EvasionT1216 · System Script Proxy Execution

Julia Fomina+1Wed Oct 07windows

Detectionmediumtest

Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

WindowsProcess Creation

TA0009 · CollectionT1560.001 · Archive via Utility

François HubautTue Jul 27windows

Detectionhightest

Potential Windows Defender Tampering Via Wmic.EXE

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

WindowsProcess Creation

TA0005 · Defense EvasionTA0002 · ExecutionT1047 · Windows Management InstrumentationT1562 · Impair Defenses

François HubautSun Dec 11windows

Detectionmediumtest

New Process Created Via Wmic.EXE

Detects new process creation using WMIC via the "process call create" flag

WindowsProcess Creation

TA0002 · ExecutionT1047 · Windows Management Instrumentation2016-03-002 · CAR 2016-03-002

Michael Haag+3Wed Jan 16windows

Detectionlowtest

Local Groups Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

WindowsProcess Creation

TA0007 · DiscoveryT1069.001 · Local Groups

François HubautSun Dec 12windows

Detectionmediumtest

Process Reconnaissance Via Wmic.EXE

Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.

WindowsProcess Creation

TA0002 · ExecutionT1047 · Windows Management Instrumentation

François HubautSat Jan 01windows

Detectionmediumtest

Service Reconnaissance Via Wmic.EXE

An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable

WindowsProcess Creation

TA0002 · ExecutionT1047 · Windows Management Instrumentation

François Hubaut+1Tue Feb 14windows

Detectionmediumtest

Uncommon System Information Discovery Via Wmic.EXE

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

WindowsProcess Creation

TA0007 · DiscoveryT1082 · System Information Discovery

TropChaudThu Jan 26windows

Detectionmediumtest

Application Removed Via Wmic.EXE

Detects the removal or uninstallation of an application via "Wmic.EXE".

WindowsProcess Creation

TA0002 · ExecutionT1047 · Windows Management Instrumentation

François HubautFri Jan 28windows

Detectionmediumtest

XSL Script Execution Via WMIC.EXE

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

WindowsProcess Creation

TA0005 · Defense EvasionT1047 · Windows Management InstrumentationT1220 · XSL Script ProcessingTA0002 · Execution+2

Timur Zinniatullin+2Mon Oct 21windows

Detectionmediumtest

Potential Dropper Script Execution Via WScript/CScript

Detects wscript/cscript executions of scripts located in user directories

WindowsProcess Creation

TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript

Margaritis Dimitrios+3Wed Jan 16windows

Detectionhightest

Suspicious Windows Update Agent Empty Cmdline

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

WindowsProcess Creation

TA0005 · Defense EvasionT1036 · Masquerading

Florian Roth (Nextron Systems)Sat Feb 26windows

Detectionhightest

Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

WindowsRegistry Delete

TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools

François HubautMon Jun 07windows

Detectionhightest

Esentutl Volume Shadow Copy Service Keys

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.

WindowsRegistry Event

TA0006 · Credential AccessT1003.002 · Security Account Manager

Roberto Rodriguez (Cyb3rWard0g)+1Tue Oct 20windows

Detectionmediumtest

Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

WindowsRegistry Event

TA0003 · PersistenceTA0004 · Privilege EscalationT1546.002 · Screensaver

Bartlomiej Czyz+1Sun Oct 11windows

Detectionhightest

Registry Persistence via Service in Safe Mode

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

WindowsRegistry Set

TA0005 · Defense EvasionT1564.001 · Hidden Files and Directories

François HubautMon Apr 04windows

Detectionmediumtest

Add Port Monitor Persistence in Registry

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

WindowsRegistry Set

TA0004 · Privilege EscalationTA0003 · PersistenceT1547.010 · Port Monitors

François HubautThu Dec 30windows

Detectionmediumtest

Allow RDP Remote Assistance Feature

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

WindowsRegistry Set

TA0003 · PersistenceTA0005 · Defense EvasionT1112 · Modify Registry

François HubautFri Aug 19windows

Detectionmediumtest