WMIC Antivirus Discovery
Query
DeviceProcessEvents
// Filter only on WMIC executions
| where FileName =~ "WMIC.exe"
// Only serach for AntiVirusProduct lists in the commandline, actual malicious activity could look like cmd.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
| where ProcessCommandLine contains "AntiVirusProduct"
| project TimeGenerated, DeviceName, ActionType, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, InitiatingProcessFileName
// Known Applications to trigger antiviruscheck, would be better to filter on hash but that needs to be done for your environment.
| where not(InitiatingProcessFileName in~('pycharm64.exe', 'pycharm.exe', 'idea64.exe', 'rider64.exe'))About this query
Explanation
This query is designed to detect the use of Windows Management Instrumentation Command-line (WMIC) to discover antivirus software installed on a device. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify instances where WMIC is used to list antivirus products on a device. This is a technique often used by adversaries to understand the security software present on a system.
-
Techniques Involved:
- T1518.001: This involves discovering security software on a system.
- T1047: This involves using Windows Management Instrumentation for executing commands.
-
Query Details:
- The query filters for processes where the executable file is "WMIC.exe".
- It specifically looks for command lines that include "AntiVirusProduct", which indicates an attempt to list antivirus products.
- The query excludes certain known applications (like PyCharm and IntelliJ IDEA) that might also trigger antivirus checks, to reduce false positives. These applications are filtered by their filenames.
-
Output: The query projects (or selects) specific details about the detected events, such as the timestamp, device name, action type, folder path, command lines involved, and the account used.
-
Risk: The use of WMIC to list antivirus solutions can indicate malicious activity, as attackers might use this information to tailor their attacks based on the security software present.
-
Environment: The query is applicable in environments using Microsoft Defender XDR and Microsoft Sentinel for security monitoring.
In summary, this query helps security teams detect potential reconnaissance activities by adversaries trying to understand the security posture of a device by listing installed antivirus products using WMIC.
