Detects uninstallation or termination of security products using the WMIC utility
title: Potential Tampering With Security Products Via WMIC
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
related:
- id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
type: derived
status: test
description: Detects uninstallation or termination of security products using the WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-01-30
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'wmic'
- 'product where '
- 'call'
- 'uninstall'
- '/nointeractive'
selection_cli_2:
CommandLine|contains|all:
- 'wmic'
- 'caption like '
CommandLine|contains:
- 'call delete'
- 'call terminate'
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- 'delete'
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- 'Antivirus'
- 'AVG '
- 'Carbon Black'
- 'CarbonBlack'
- 'Cb Defense Sensor 64-bit'
- 'Crowdstrike Sensor'
- 'Cylance '
- 'Dell Threat Defense'
- 'DLP Endpoint'
- 'Endpoint Detection'
- 'Endpoint Protection'
- 'Endpoint Security'
- 'Endpoint Sensor'
- 'ESET File Security'
- 'LogRhythm System Monitor Service'
- 'Malwarebytes'
- 'McAfee Agent'
- 'Microsoft Security Client'
- 'Sophos Anti-Virus'
- 'Sophos AutoUpdate'
- 'Sophos Credential Store'
- 'Sophos Management Console'
- 'Sophos Management Database'
- 'Sophos Management Server'
- 'Sophos Remote Management System'
- 'Sophos Update Manager'
- 'Threat Protection'
- 'VirusScan'
- 'Webroot SecureAnywhere'
- 'Windows Defender'
condition: 1 of selection_cli_* and selection_product
falsepositives:
- Legitimate administration
level: high
imProcessCreate
| where ((TargetProcessCommandLine contains "wmic" and TargetProcessCommandLine contains "product where " and TargetProcessCommandLine contains "call" and TargetProcessCommandLine contains "uninstall" and TargetProcessCommandLine contains "/nointeractive") or ((TargetProcessCommandLine contains "wmic" and TargetProcessCommandLine contains "caption like ") and (TargetProcessCommandLine contains "call delete" or TargetProcessCommandLine contains "call terminate")) or (TargetProcessCommandLine contains "process " and TargetProcessCommandLine contains "where " and TargetProcessCommandLine contains "delete")) and (TargetProcessCommandLine contains "%carbon%" or TargetProcessCommandLine contains "%cylance%" or TargetProcessCommandLine contains "%endpoint%" or TargetProcessCommandLine contains "%eset%" or TargetProcessCommandLine contains "%malware%" or TargetProcessCommandLine contains "%Sophos%" or TargetProcessCommandLine contains "%symantec%" or TargetProcessCommandLine contains "Antivirus" or TargetProcessCommandLine contains "AVG " or TargetProcessCommandLine contains "Carbon Black" or TargetProcessCommandLine contains "CarbonBlack" or TargetProcessCommandLine contains "Cb Defense Sensor 64-bit" or TargetProcessCommandLine contains "Crowdstrike Sensor" or TargetProcessCommandLine contains "Cylance " or TargetProcessCommandLine contains "Dell Threat Defense" or TargetProcessCommandLine contains "DLP Endpoint" or TargetProcessCommandLine contains "Endpoint Detection" or TargetProcessCommandLine contains "Endpoint Protection" or TargetProcessCommandLine contains "Endpoint Security" or TargetProcessCommandLine contains "Endpoint Sensor" or TargetProcessCommandLine contains "ESET File Security" or TargetProcessCommandLine contains "LogRhythm System Monitor Service" or TargetProcessCommandLine contains "Malwarebytes" or TargetProcessCommandLine contains "McAfee Agent" or TargetProcessCommandLine contains "Microsoft Security Client" or TargetProcessCommandLine contains "Sophos Anti-Virus" or TargetProcessCommandLine contains "Sophos AutoUpdate" or TargetProcessCommandLine contains "Sophos Credential Store" or TargetProcessCommandLine contains "Sophos Management Console" or TargetProcessCommandLine contains "Sophos Management Database" or TargetProcessCommandLine contains "Sophos Management Server" or TargetProcessCommandLine contains "Sophos Remote Management System" or TargetProcessCommandLine contains "Sophos Update Manager" or TargetProcessCommandLine contains "Threat Protection" or TargetProcessCommandLine contains "VirusScan" or TargetProcessCommandLine contains "Webroot SecureAnywhere" or TargetProcessCommandLine contains "Windows Defender")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |