Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
Sigma rule (View on GitHub)
1title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
2id: 68bcd73b-37ef-49cb-95fc-edc809730be6
3related:
4 - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
5 type: similar
6 - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
7 type: similar
8status: experimental
9description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
10references:
11 - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
12 - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
13 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022/06/20
16modified: 2023/09/11
17tags:
18 - attack.execution
19 - attack.t1047
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - OriginalFileName: 'wmic.exe'
26 - Image|endswith: '\WMIC.exe'
27 selection_cli:
28 CommandLine|contains|all:
29 - ' service get '
30 - 'name,displayname,pathname,startmode'
31 condition: all of selection*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- Application Terminated Via Wmic.EXE
- Suspicious Process Created Via Wmic.EXE
- HackTool - CrackMapExec Execution
- Blue Mockingbird - Registry
- Blue Mockingbird