[New WTFBin]: IBM Storage Insights Data Collector Runs Batch Script with WMIC Process Call Create

mbabinski commented 6 months ago

Contributor Name: Micah Babinski (@mbabinski), William Rotchford
Application/Executable: IBM Storage Insights Data Collector
WTF Behavior Description: The data collector periodically runs a command like: cmd.exe /c wmic process call create "C:\...\datacollectorbin\collectorSrvWatchDog.bat" This may trigger detection rules geared towards T1047: Windows Management Instrumentation which look for wmic.exe being used to covertly spawn processes.
Link to Documentation of Behavior: https://www.ibm.com/support/pages/carbon-black-security-alert-executing-wmicexe
Please provide any images for additional evidence.

mttaggart commented 6 months ago

Hey Micah! Always a pleasure. I'll get this added ASAP.

mttaggart commented 4 months ago

Added in e43b954

mttaggart / wtfbins