heroui logo

WMIC Unquoted Services Path Lookup - PowerShell

Sigma Rules

View Source
Summary
This detection rule analyzes PowerShell scripts for the usage of Windows Management Instrumentation (WMI) calls that look for unquoted service paths. Unquoted service paths can lead to vulnerabilities, where a malicious user can exploit a valid service name with a space in it to execute arbitrary code. This is a common technique utilized by attackers during penetration testing exercises to enumerate services on a Windows machine. The rule specifically looks for the presence of certain keywords within the script block, including 'Get-WmiObject', 'Win32_Service', as well as common attributes associated with Windows services. The purpose is to flag potential reconnaissance efforts that might lead to privilege escalation.
Categories
  • Windows
  • Endpoint
Data Sources
  • Script
  • Logon Session
  • Process
Created: 2022-06-20