← Back to Explore
sigmamediumHunting
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
Detection Query
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
selection_cli:
CommandLine|contains|all:
- " service get "
- name,displayname,pathname,startmode
condition: all of selection*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1047
Raw Content
title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
id: 68bcd73b-37ef-49cb-95fc-edc809730be6
related:
- id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
type: similar
- id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
references:
- https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-09-11
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains|all:
- ' service get '
- 'name,displayname,pathname,startmode'
condition: all of selection*
falsepositives:
- Unknown
level: medium