Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Sigma rule (View on GitHub)
1title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
2id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
3status: test
4description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
5references:
6 - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
7 - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/20
10modified: 2023/02/14
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - OriginalFileName: 'wmic.exe'
20 - Image|endswith: '\WMIC.exe'
21 selection_cli:
22 CommandLine|contains: ' qfe'
23 condition: all of selection*
24falsepositives:
25 - Unknown
26level: medium
References
-
-
Privilege Escalation Windows We now have a low-privileges shell that we want to escalate into a privileged shell. Basic Enumeration of the System Before we start looking for privilege escalation op...
Read More
Related rules
- Application Removed Via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- Potential Product Reconnaissance Via Wmic.EXE