WMIC Unquoted Services Path Lookup - PowerShell
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
Sigma rule (View on GitHub)
1title: WMIC Unquoted Services Path Lookup - PowerShell
2id: 09658312-bc27-4a3b-91c5-e49ab9046d1b
3related:
4 - id: 68bcd73b-37ef-49cb-95fc-edc809730be6
5 type: similar
6status: test
7description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
8references:
9 - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
10 - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
11 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-06-20
14modified: 2022-11-25
15tags:
16 - attack.execution
17 - attack.t1047
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection:
24 ScriptBlockText|contains:
25 - 'Get-WmiObject '
26 - 'gwmi '
27 ScriptBlockText|contains|all:
28 - ' Win32_Service '
29 - 'Name'
30 - 'DisplayName'
31 - 'PathName'
32 - 'StartMode'
33 condition: selection
34falsepositives:
35 - Unknown
36level: medium
References
-
-
-
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...
Read More
Related rules
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird
- Blue Mockingbird - Registry
- Computer System Reconnaissance Via Wmic.EXE