Windows Hotfix Updates Reconnaissance Via Wmic.EXE

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1047` Windows Management Instrumentation

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\WMIC.exe'
OriginalFileName: wmic.exe

Stage 2: `all of selection_cli`

CommandLine|contains: ' qfe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`qfe`
`Image`	ends_with	`\WMIC.exe` corpus 12 (sigma 12)
`OriginalFileName`	eq	`wmic.exe` corpus 33 (sigma 33)