Skip to main content
 
Splunk Lantern

Wmic.exe launching processes on a remote system

 

WMIC is a software utility that allows users to perform Windows Management Instrumentation operations with a command prompt. Ransomware authors have been seen to use wmic.exe to gain access to remote systems and then perform processes on it to prepare for or execute the ransomware attack. This search looks for wmic.exe launched with parameters to spawn a process on a remote system to find evidence of the attack.

Data required 

Endpoint data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting endpoint data that records registry activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wmic.exe "Processes.process"="*/node*" "Processes.process"="*process*" "Processes.process"="*call*" "Processes.process"="*create*") BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=wmic.exe "Processes.process"="*/node*" "Processes.process"="*process*" "Processes.process"="*call*" "Processes.process"="*create*") BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user"  Query the Endpoint.Processes data model object to search for wmic.exe launching with parameters that spawn processes on a remote system. Sort first by process name, then parent process name, destination, and user.
| rename "Processes.*" AS "*"  Rename data model fields for better readability.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
Convert these times into readable strings.

Next steps

False positives from this search may occur since the wmic.exe utility is a benign Windows application. It may be used legitimately by administrators with these parameters for remote system administration, but it's relatively uncommon.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Another tactic you may want to search for is attackers using wmic.exe to delete shadow copies.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.