
Summary
This detection rule analyzes PowerShell scripts for the usage of Windows Management Instrumentation (WMI) calls that look for unquoted service paths. Unquoted service paths can lead to vulnerabilities, where a malicious user can exploit a valid service name with a space in it to execute arbitrary code. This is a common technique utilized by attackers during penetration testing exercises to enumerate services on a Windows machine. The rule specifically looks for the presence of certain keywords within the script block, including 'Get-WmiObject', 'Win32_Service', as well as common attributes associated with Windows services. The purpose is to flag potential reconnaissance efforts that might lead to privilege escalation.
Categories
- Windows
- Endpoint
Data Sources
- Script
- Logon Session
- Process
Created: 2022-06-20