Techniques
Sample rules
Wmic NonInteractive App Uninstallation
- source: splunk
- technicques:
- T1562.001
- T1562
Description
This analytic indentifies WMIC command-line attempting to uninstall application non-interactively. This technique was seen in IcedID to uninstall AV products on the compromised host to evade detection. This Hunting query maybe a good indicator that some process tries to uninstall application using wmic which is not a common behavior. This approach may seen in some script or third part appication to uninstall their application but it is a good thing to check what it uninstall and why.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe Processes.process="* product *" Processes.process="*where name*" Processes.process="*call uninstall*" Processes.process="*/nointeractive*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wmic_noninteractive_app_uninstallation_filter`