Skip to content

Hide Navigation Hide TOC

Registry Manipulation via WMI Stdregprov (c453ab7a-1f5c-4716-a3b4-dea8135fb43a)

Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.

Cluster A Galaxy A Cluster B Galaxy B Level
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Registry Manipulation via WMI Stdregprov (c453ab7a-1f5c-4716-a3b4-dea8135fb43a) Sigma-Rules 1
Registry Manipulation via WMI Stdregprov (c453ab7a-1f5c-4716-a3b4-dea8135fb43a) Sigma-Rules Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Registry Manipulation via WMI Stdregprov (c453ab7a-1f5c-4716-a3b4-dea8135fb43a) Sigma-Rules Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1