Merge PR #5827 from @swachchhanda000 - Update Wmic Service Tampering Rules

new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-07T12:21:07.359994Z"
+        }
+      },
+      "EventRecordID": 88958,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4048,
+          "ThreadID": 4748
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-07 12:21:07.345",
+      "ProcessGuid": "0197231E-4FB3-695E-9F06-000000000D00",
+      "ProcessId": 7752,
+      "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "WMI Commandline Utility",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "wmic.exe",
+      "CommandLine": "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" service where name='vss' call ChangeStartMode Manual",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-C5A4-695E-14DE-010000000000",
+      "LogonId": "0x1de14",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=0C0A46AAA84E8689D9EE731E6799283B,SHA256=2EF794C4940AFEA56C6D6D3B9BC9E66965BC7333E79C5DCB2DEF3C0E36F0834C,IMPHASH=68F5781FF188454492D1B3FD57484D85",
+      "ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
+      "ParentProcessId": 9300,
+      "ParentImage": "-",
+      "ParentCommandLine": "-",
+      "ParentUser": "-"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml

@@ -0,0 +1,13 @@
+id: 2ade7598-4cca-4bb1-aed5-b69bf64000ce
+description: N/A
+date: 2026-01-07
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: c0514f28-fdae-42df-b886-06e2b2bc5b37
+      title: Service Startup Type Change Via WMIC
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.evtx

rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml

@@ -12,8 +12,10 @@ description: |
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
+    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023-02-14
+modified: 2026-01-07
 tags:
     - attack.execution
     - attack.t1047
@@ -26,7 +28,18 @@ detection:
         - OriginalFileName: 'wmic.exe'
     selection_cli:
         CommandLine|contains: 'service'
-    condition: all of selection_*
+    filter_main_win32_methods:
+        CommandLine|contains:
+            - 'Change'
+            - 'Create'
+            - 'Delete'
+            - 'PauseService'
+            - 'ResumeService'
+            - 'SetSecurityDescriptor'
+            - 'StartService'
+            - 'StopService'
+            - 'UserControlService'
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: medium

rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml

@@ -0,0 +1,33 @@
+title: Service Startup Type Change Via Wmic.EXE
+id: c0514f28-fdae-42df-b886-06e2b2bc5b37
+status: experimental
+description: |
+    Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
+references:
+    - https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-27
+tags:
+    - attack.execution
+    - attack.t1047
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\WMIC.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' service '
+            - 'ChangeStartMode'
+        CommandLine|contains:
+            - 'Manual'
+            - 'Disabled'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
+level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml