Windows Hotfix Updates Reconnaissance Via Wmic.EXE

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

Sigma rule (View on GitHub)

 1title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
 2id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
 3status: test
 4description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
 5references:
 6    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
 7    - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-06-20
10modified: 2023-02-14
11tags:
12    - attack.execution
13    - attack.t1047
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - OriginalFileName: 'wmic.exe'
20        - Image|endswith: '\WMIC.exe'
21    selection_cli:
22        CommandLine|contains: ' qfe'
23    condition: all of selection*
24falsepositives:
25    - Unknown
26level: medium

References

Related rules

to-top