← Back to SOC feed Coverage →

Suspicious Process Created Via Wmic.EXE

sigma HIGH SigmaHQ
T1047
imProcessCreate
wmi
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-23T23:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may leverage WMIC.EXE to execute malicious processes like rundll32 or regsrv

Detection Rule

Sigma (Original)

title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
    - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
      type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
    - https://thedfirreport.com/2020/10/08/ryuks-return/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'process '
            - 'call '
            - 'create '
        CommandLine|contains:
            # Add more susupicious paths and binaries as you see fit in your env
            - 'rundll32'
            - 'bitsadmin'
            - 'regsvr32'
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'powershell'
            - 'pwsh'
            - 'certutil'
            - 'cscript'
            - 'wscript'
            - 'mshta'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '\AppData\Local\'
            - '%temp%'
            - '%tmp%'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "process " and TargetProcessCommandLine contains "call " and TargetProcessCommandLine contains "create ") and (TargetProcessCommandLine contains "rundll32" or TargetProcessCommandLine contains "bitsadmin" or TargetProcessCommandLine contains "regsvr32" or TargetProcessCommandLine contains "cmd.exe /c " or TargetProcessCommandLine contains "cmd.exe /k " or TargetProcessCommandLine contains "cmd.exe /r " or TargetProcessCommandLine contains "cmd /c " or TargetProcessCommandLine contains "cmd /k " or TargetProcessCommandLine contains "cmd /r " or TargetProcessCommandLine contains "powershell" or TargetProcessCommandLine contains "pwsh" or TargetProcessCommandLine contains "certutil" or TargetProcessCommandLine contains "cscript" or TargetProcessCommandLine contains "wscript" or TargetProcessCommandLine contains "mshta" or TargetProcessCommandLine contains "\\Users\\Public\\" or TargetProcessCommandLine contains "\\Windows\\Temp\\" or TargetProcessCommandLine contains "\\AppData\\Local\\" or TargetProcessCommandLine contains "%temp%" or TargetProcessCommandLine contains "%tmp%" or TargetProcessCommandLine contains "%ProgramData%" or TargetProcessCommandLine contains "%appdata%" or TargetProcessCommandLine contains "%comspec%" or TargetProcessCommandLine contains "%localappdata%")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml