Registry Manipulation via WMI Stdregprov

Rule Info

Name
Registry Manipulation via WMI Stdregprov
Author
Daniel Koifman (KoifSec)
Description
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Reference
https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
Date
2025-07-30 00:00:00
Modified
None
Id
c453ab7a-1f5c-4716-a3b4-dea8135fb43a
Tags
attack.persistence attack.execution attack.discovery attack.defense-impairment attack.t1047 attack.t1112 attack.t1012
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c453ab7a-1f5c-4716-a3b4-dea8135fb43a

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
Koifman
Merge PR #5567 from @ Koifman - Registry Manipulation via WMI Stdregprov
2025-09-22
ab428698a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022