Techniques
Sample rules
Suspicious Autorun Registry Modified via WMI
- source: sigma
- technicques:
- t1047
- t1547
- t1547.001
Description
Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
Detection logic
condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all
of selection_suspicious_paths_user_*))
selection_execution_cmd:
CommandLine|contains:
- \Software\Microsoft\Windows\CurrentVersion\Run
- \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
- \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
CommandLine|contains|all:
- reg
- ' add '
selection_execution_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
- ParentImage|endswith: \wmiprvse.exe
selection_suspicious_paths_1:
CommandLine|contains:
- :\Perflogs
- :\ProgramData'
- :\Windows\Temp
- :\Temp
- \AppData\Local\Temp
- \AppData\Roaming
- :\$Recycle.bin
- :\Users\Default
- :\Users\public
- '%temp%'
- '%tmp%'
- '%Public%'
- '%AppData%'
selection_suspicious_paths_user_1:
CommandLine|contains: :\Users\
selection_suspicious_paths_user_2:
CommandLine|contains:
- \Favorites
- \Favourites
- \Contacts
- \Music
- \Pictures
- \Documents
- \Photos