Service Started/Stopped Via Wmic.EXE
Detects usage of wmic to start or stop a service
Sigma rule (View on GitHub)
1title: Service Started/Stopped Via Wmic.EXE
2id: 0b7163dc-7eee-4960-af17-c0cd517f92da
3status: test
4description: Detects usage of wmic to start or stop a service
5references:
6 - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-20
9modified: 2023-02-14
10tags:
11 - attack.execution
12 - attack.t1047
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - OriginalFileName: 'wmic.exe'
19 - Image|endswith: '\WMIC.exe'
20 selection_cli:
21 CommandLine|contains|all:
22 - ' service '
23 - ' call '
24 CommandLine|contains:
25 - 'stopservice'
26 - 'startservice'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Privilege Escalation Windows We now have a low-privileges shell that we want to escalate into a privileged shell. Basic Enumeration of the System Before we start looking for privilege escalation op...
Read More
Related rules
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird
- Blue Mockingbird - Registry
- Computer System Reconnaissance Via Wmic.EXE