Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
Sigma rule (View on GitHub)
1title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
2id: 68bcd73b-37ef-49cb-95fc-edc809730be6
3related:
4 - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
5 type: similar
6 - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
7 type: similar
8status: test
9description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
10references:
11 - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
12 - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
13 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-06-20
16modified: 2023-09-11
17tags:
18 - attack.execution
19 - attack.t1047
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - OriginalFileName: 'wmic.exe'
26 - Image|endswith: '\WMIC.exe'
27 selection_cli:
28 CommandLine|contains|all:
29 - ' service get '
30 - 'name,displayname,pathname,startmode'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
35regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search/info.yml
References
Related rules
- Application Removed Via Wmic.EXE
- Application Termination Attempt via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Potential Process Reconnaissance via Wmic.EXE