Skip to content

Added AntiSpywareProduct class enumeration #5234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Apr 16, 2025
+12 −5
Merged

Added AntiSpywareProduct class enumeration #5234

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9d9912f
added AntiSpywareProduct class enumeration
swachchhanda000 Mar 17, 2025
4569248
fixed a spelling
swachchhanda000 Mar 17, 2025
997db00
added an example
swachchhanda000 Mar 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
description: |
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2023-03-07
modified: 2025-03-17
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
Expand All @@ -20,10 +25,12 @@ detection:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*
falsepositives:
- Unknown
- Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium
Loading