Detection rules › Sigma
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1047 Windows Management Instrumentation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\WMIC.exe'
OriginalFileName: wmic.exe
Stage 2: all of selection_cli
CommandLine|contains: ' service get '
CommandLine|contains: 'name,displayname,pathname,startmode'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|