← Back to Explore
sigmamediumHunting
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Detection Query
selection_img:
- OriginalFileName: wmic.exe
- Image|endswith: \WMIC.exe
selection_cli:
CommandLine|contains: " qfe"
condition: all of selection*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1047
Raw Content
title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
status: test
description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
references:
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: ' qfe'
condition: all of selection*
falsepositives:
- Unknown
level: medium