Potential Tampering With Security Products Via WMIC
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects uninstallation or termination of security products using the WMIC utility
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND ((COMMANDLINE contains "wmic" AND COMMANDLINE contains "product where " AND COMMANDLINE contains "call" AND COMMANDLINE contains "uninstall" AND COMMANDLINE contains "/nointeractive") OR ((COMMANDLINE contains "wmic" AND COMMANDLINE contains "caption like ") AND COMMANDLINE contains "call delete,call terminate") OR (COMMANDLINE contains "process " AND COMMANDLINE contains "where " AND COMMANDLINE contains "delete")) AND (COMMANDLINE contains "%carbon%,%cylance%,%endpoint%,%eset%,%malware%,%Sophos%,%symantec%,Antivirus,AVG ,Carbon Black,CarbonBlack,Cb Defense Sensor 64-bit,Crowdstrike Sensor,Cylance ,Dell Threat Defense,DLP Endpoint,Endpoint Detection,Endpoint Protection,Endpoint Security" OR COMMANDLINE contains "Endpoint Sensor,ESET File Security,LogRhythm System Monitor Service,Malwarebytes,McAfee Agent,Microsoft Security Client,Sophos Anti-Virus,Sophos AutoUpdate,Sophos Credential Store,Sophos Management Console,Sophos Management Database,Sophos Management Server,Sophos Remote Management System,Sophos Update Manager,Threat Protection,VirusScan,Webroot SecureAnywhere,Windows Defender") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
