From 9b1a98794beafbe76fb484a087c4835cfcffcd4b Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Sun, 15 Sep 2024 19:31:17 +0300
Subject: [PATCH] Update Wmic.yml  (#355)

---
 yml/OSBinaries/Wmic.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/yml/OSBinaries/Wmic.yml b/yml/OSBinaries/Wmic.yml
index d976bff..8c1a996 100644
--- a/yml/OSBinaries/Wmic.yml
+++ b/yml/OSBinaries/Wmic.yml
@@ -41,6 +41,13 @@ Commands:
     OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
     Tags:
       - Execute: WSH
+  - Command: wmic.exe datafile where "Name='C:\\windows\\system32\\calc.exe'" call Copy "C:\\users\\public\\calc.exe"
+    Description: Copy file from source to destination.
+    Usecase: Copy file.
+    Category: Copy
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\wbem\wmic.exe
   - Path: C:\Windows\SysWOW64\wbem\wmic.exe
@@ -60,6 +67,7 @@ Detection:
   - IOC: Wmic retrieving scripts from remote system/Internet location
   - IOC: DotNet CLR libraries loaded into wmic.exe
   - IOC: DotNet CLR Usage Log - wmic.exe.log
+  - IOC: wmiprvse.exe writing files
 Resources:
   - Link: https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory
   - Link: https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html
@@ -67,3 +75,5 @@ Resources:
 Acknowledgement:
   - Person: Casey Smith
     Handle: '@subtee'
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'