Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
Sigma rule (View on GitHub)
1title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
2id: 68bcd73b-37ef-49cb-95fc-edc809730be6
3related:
4 - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
5 type: similar
6 - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
7 type: similar
8status: experimental
9description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
10references:
11 - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
12 - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
13 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022/06/20
16modified: 2023/09/11
17tags:
18 - attack.execution
19 - attack.t1047
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - OriginalFileName: 'wmic.exe'
26 - Image|endswith: '\WMIC.exe'
27 selection_cli:
28 CommandLine|contains|all:
29 - ' service get '
30 - 'name,displayname,pathname,startmode'
31 condition: all of selection*
32falsepositives:
33 - Unknown
34level: medium
References
-
-
-
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start...
Read More
Related rules
- Application Terminated Via Wmic.EXE
- Suspicious Process Created Via Wmic.EXE
- HackTool - CrackMapExec Execution
- Blue Mockingbird - Registry
- Blue Mockingbird