WMIC Unquoted Services Path Lookup - PowerShell

Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts

Sigma rule (View on GitHub)

 1title: WMIC Unquoted Services Path Lookup - PowerShell
 2id: 09658312-bc27-4a3b-91c5-e49ab9046d1b
 3related:
 4    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6
 5      type: similar
 6status: test
 7description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
 8references:
 9    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
10    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
11    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/06/20
14modified: 2022/11/25
15tags:
16    - attack.execution
17    - attack.t1047
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection:
24        ScriptBlockText|contains:
25            - 'Get-WmiObject '
26            - 'gwmi '
27        ScriptBlockText|contains|all:
28            - ' Win32_Service '
29            - 'Name'
30            - 'DisplayName'
31            - 'PathName'
32            - 'StartMode'
33    condition: selection
34falsepositives:
35    - Unknown
36level: medium

References

Related rules

to-top