From 180991bc818d8c276fc5fc557125130b9e3667ca Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 28 Apr 2026 02:28:22 +0545
Subject: [PATCH] Merge PR #5827 from @swachchhanda000 - Update Wmic Service
 Tampering Rules

new: Service Startup Type Change Via Wmic.EXE
update: Service Reconnaissance Via Wmic.EXE - Add filters to exclude out legitimate service manipulation cases.

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 .../c0514f28-fdae-42df-b886-06e2b2bc5b37.evtx | Bin 0 -> 69632 bytes
 .../c0514f28-fdae-42df-b886-06e2b2bc5b37.json |  66 ++++++++++++++++++
 .../info.yml                                  |  13 ++++
 .../proc_creation_win_wmic_recon_service.yml  |  15 +++-
 ...eation_win_wmic_service_startup_change.yml |  33 +++++++++
 5 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..455f0138d54cf343ab5878068625dfce5b1222b4
GIT binary patch
literal 69632
zcmeI0e`uXo8ONXZy+3kulY4KnHR^QjZo4|0x}^Da^J86=^d{GIO}4sqRxxbECTZ`Q
z+>|D5R|~VK!%c>6e~7~VaERbG#t>v6Ll6dI48|NX@CQ<qA?QECl%X;te!u6uZ*Fdy
zw4M9Y@B8xJ_dVx4=Q+>$JkNQ~NyZoEE7gTL+jxah#U;E$OPI9<8$~{JdGz1!f969g
zkpdAA0TB=Z5fA|p5CIVo0TB=Z5fFiE5*S~YFQ2TPviPt2t=^ZY3I7z>({7e}{hgPt
zsrVWK9Ou+y&-{74*!HwpHe>dWl-XaB>s!qFP=5gbhWMb@o7d>`IL73)9b@wPXC(hZ
zRL{DnQ8&NAp3kEEujrp7AKx&>Vx)_GpNqbyAX|aXmpAC4%=KRHG}R?<i~m7Wulk?9
z_U?sG3%2I}H#&cC(_3HrLr@3;YYi^%|J$?iNc`UO*Qf8@^{3yyed)ROpFD|~P-?W@
zzKKsxkk`wtDI2$QHfJ?kLHS#F(ho(AzbK^aVOz8XG%lkd6_o5G#8&LI-C_H1FWYg{
z%t2-b-`#juQFF$YP+GEiNOq&Vg!+AU9&I(e`>Y4|0KR%`7{7CC!!I|K!eDjvZTKqo
z+tSgr-Dek|dBu&003Tgl{SxeoJ^Jp&j2&^KpTk(QkUE3bK|GZ>7!Q9hX?MfeMKqe_
z^A@DP7{x<pN76oLXI)P;6|9gLP1qE~z8XoqH`BBZ)*%~1+o$lP8FEz9`TMMW9x7&l
ztcvMZoe4yjPg*+6CoG)|T5K08;z<8kbCZ1`603q#4Q*k*#ga*^xg99PAwK(N$|fO5
zUoAKxqflr!qi}N+r{foscGUUeloJU#U|>ZQxCD5;xFc=%z=3oN5plSHno_nKg?QyW
z^s9^=M)L*uZ3!G_!JVQh>qr9o5fq+^H17XS3kIz^re%oE!2r5w7BUVGR}o|C&WqUw
z55}E<CvEMCAd6_J=aNbyw~qF`P)L($i6<ZCvzDbTkD^nY5PtOc7Are3+Ogm)iLp*Y
zu2P9sc=p|_jY8uJ3}>{gV5VMgzR3z{CIz~^^lH0tXs?NL+M-jA;j+5Ah%w?M^7EIP
zF@cAj;b+}I-n|pF1Ku>+lKo9{6tl-6xQsipB4e2}Q!8Ej=tu^HPeyEG0QqLiB!V^<
zPE5wUzJU-eLvjXzRC9LIX>ArHgVohLA;7Fg$L+6W9H>Qv0*&))B}@gaFyTD<b7AxG
zx@J*B)(4>?PQuT0XW&k{<t!}o2+eMRL^{sL^OI@29}1~Gnpdmcm`LW^ZD-PMfG9%G
zJ&06nSbi26>#&Sr>%x`97oUt}ogBKm`W}?ptY8y(A8y|1w8XoiU5fMKTga79V3<d~
z?AuaU47^etdI~l-CaW$xhPoQOyaWcz))j^8BFZ&;aQO7Gy|4VS{L9Jod)4p0|GN*`
zf1g`-M8Wmpqmr4zC+|lNtqjLo2ESX5?|(43>+#qAbN}<(F2iAzf)9U<Pwu+B#=gz~
zi<9@5Q#*rt=EV`bxeGJSzP*%0uHv9<y$Mg6`7jk^5Zh;A!Q5I-40CV^9sS9u|3~Z6
zO>pH3h{ek`%)uhcc15zz^<Hz!hM<lUYnThIz&@Q(pHI~FU%3!wEzBh>L;0PNJiQ-T
zpF&7+<2eEQ!yLkBOIs?S%~>`k+Ax>8N}n;vb9-ZCpI-A<m`h)UkKcS|!IX(5%r#v_
zmRX96k1O>8WHVlND4HkvMDuJz+|Y^>cxsSeuy{W4P8Q~xuQC%q5=k+#C!H1&!-68Q
zO-C%dHO(B#bHNz;@SC$@3Z}g+zBhf&IOA%K>`ksM`7qb&r8f2UBy^o{E2|zINTalA
z)99<qAHqDsT;6X*aio8`Zb3U@l<SPg5l@VHipkZlI^VzGBdb4}0mqDHkVj;3-gB@o
z&TRF)H_S1g!pd8to*ng`X(S{bg?K1hhK=oBa#I_RKr$xmBPZSh>O5}nJWA0>ZaeiW
ztbi4^RewLf8~yyYSe^C0>sQgX>$G>PnCkHT=?g~1_BxqtgT3*l5avFD9!X=G36aXX
zqqNSHe-Pi3Q61C#Ue^}bPx0P^XSXZEi`Xvw76BP#Np1@)Q(ydaxnpM^4uf4dcJ{j8
zAuHmm4@cQPyzfB$5XSGv(X?bcZvB4nvwI$>{?P46Ih(*ytPGjy4Lihi!-1wBnx?UH
zd<EWLbh1;3q%yS5xpP1-#^`nrEn$h}5`Kp;Y7w*Y`_DnFK4z?0wDv-h7V}}>VLUz7
z2}$ZMMw@uNx_R#8zF%~?nmYWxeC1yCB4iqOJJ#@ISl^*)i2q{446oGVEjWXI%nbFN
z?Yvuk$6>Rd`>r*9hp^j>VWeZwycxe^Tk_ilYy4q?M>ejOB4~51aUB)iTIb3B0M4D~
zAi0cp5pv9#3;2ppM%*#(!}{hLSOG_W5-#G4Intlsuh-jKotCEIaq6wYK1S1zUwxpu
z?Q(!PH;dmaO+exVWTwER1j~D1We-l71MvH(yNB^T4!;lL8G+OYO5=!_eniALYKKrW
zg2)?2%|W{zGn+uaK4=?+zCOrQoXh|;4?uFj>93%E)X9_~H|8GpAHh?`FEtP1JqQ`r
za6H}|c?9JW`jpYqhc`#)N2v#2{peA_7p>ulw<AiYu=Z&aEjxhrVMvsqXBac6;O@m2
zXIa8S3#qdgy8F>aDqJ0GAHy$GVdHglw_!c=b{GFX)+GWWAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
z0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+
zA|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`H
zAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F0wN#+A|L`HAOa#F
e0wN#+A|L`HAOa#F0wN#+A|L`HAOipI1pW)$zgeFE

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.json b/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.json
new file mode 100644
index 000000000..2722256a2
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-01-07T12:21:07.359994Z"
+        }
+      },
+      "EventRecordID": 88958,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4048,
+          "ThreadID": 4748
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-01-07 12:21:07.345",
+      "ProcessGuid": "0197231E-4FB3-695E-9F06-000000000D00",
+      "ProcessId": 7752,
+      "Image": "C:\\Windows\\System32\\wbem\\WMIC.exe",
+      "FileVersion": "10.0.26100.5074 (WinBuild.160101.0800)",
+      "Description": "WMI Commandline Utility",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "wmic.exe",
+      "CommandLine": "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" service where name='vss' call ChangeStartMode Manual",
+      "CurrentDirectory": "C:\\Windows\\System32\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-C5A4-695E-14DE-010000000000",
+      "LogonId": "0x1de14",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=0C0A46AAA84E8689D9EE731E6799283B,SHA256=2EF794C4940AFEA56C6D6D3B9BC9E66965BC7333E79C5DCB2DEF3C0E36F0834C,IMPHASH=68F5781FF188454492D1B3FD57484D85",
+      "ParentProcessGuid": "00000000-0000-0000-0000-000000000000",
+      "ParentProcessId": 9300,
+      "ParentImage": "-",
+      "ParentCommandLine": "-",
+      "ParentUser": "-"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml
new file mode 100644
index 000000000..a9eaa63be
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml
@@ -0,0 +1,13 @@
+id: 2ade7598-4cca-4bb1-aed5-b69bf64000ce
+description: N/A
+date: 2026-01-07
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: c0514f28-fdae-42df-b886-06e2b2bc5b37
+      title: Service Startup Type Change Via WMIC
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/c0514f28-fdae-42df-b886-06e2b2bc5b37.evtx
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
index 8ef1f0c7b..d05c2326a 100644
--- a/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
+++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
@@ -12,8 +12,10 @@ description: |
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
+    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023-02-14
+modified: 2026-01-07
 tags:
     - attack.execution
     - attack.t1047
@@ -26,7 +28,18 @@ detection:
         - OriginalFileName: 'wmic.exe'
     selection_cli:
         CommandLine|contains: 'service'
-    condition: all of selection_*
+    filter_main_win32_methods:
+        CommandLine|contains:
+            - 'Change'
+            - 'Create'
+            - 'Delete'
+            - 'PauseService'
+            - 'ResumeService'
+            - 'SetSecurityDescriptor'
+            - 'StartService'
+            - 'StopService'
+            - 'UserControlService'
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml b/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml
new file mode 100644
index 000000000..ec0093414
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change.yml
@@ -0,0 +1,33 @@
+title: Service Startup Type Change Via Wmic.EXE
+id: c0514f28-fdae-42df-b886-06e2b2bc5b37
+status: experimental
+description: |
+    Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
+references:
+    - https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-27
+tags:
+    - attack.execution
+    - attack.t1047
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\WMIC.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' service '
+            - 'ChangeStartMode'
+        CommandLine|contains:
+            - 'Manual'
+            - 'Disabled'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
+level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml