Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Sigma rule (View on GitHub)
1title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
2id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
3status: test
4description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
5references:
6 - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
7 - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-06-20
10modified: 2023-02-14
11tags:
12 - attack.execution
13 - attack.t1047
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - OriginalFileName: 'wmic.exe'
20 - Image|endswith: '\WMIC.exe'
21 selection_cli:
22 CommandLine|contains: ' qfe'
23 condition: all of selection*
24falsepositives:
25 - Unknown
26level: medium
References
Related rules
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird
- Blue Mockingbird - Registry
- Computer System Reconnaissance Via Wmic.EXE