Skip to content
Threat Feed
medium advisory

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE

Attackers and pentesters commonly use `wmic.exe` to query Windows service configurations for unquoted paths, a reconnaissance technique that identifies potential privilege escalation opportunities.

Attackers and penetration testers frequently employ wmic.exe as a reconnaissance tool to identify Windows services configured with unquoted executable paths. This technique involves querying service properties like name, displayname, pathname, and startmode using specific wmic commands. The absence of quotes around executable paths in service configurations is a well-known vulnerability (CVE-2017-1014) that can lead to privilege escalation. By dropping a malicious executable in a specific directory within an unquoted path, an attacker can trick the system into executing their code with elevated privileges when the legitimate service starts. This detection focuses on the enumeration phase, allowing defenders to identify attempts to discover these weak configurations before exploitation occurs. Early detection of such reconnaissance is crucial as it indicates an attacker actively seeking to escalate privileges on a compromised system.

Impact

Successful exploitation of an unquoted service path vulnerability, after such reconnaissance, can lead to privilege escalation, allowing an attacker to execute arbitrary code with SYSTEM privileges. This level of access grants full control over the compromised system, enabling further lateral movement, data exfiltration, or the deployment of additional malicious payloads such as ransomware. Organizations that rely on Windows services for critical operations are particularly vulnerable, as compromise of these services can lead to severe operational disruption and data loss.

Recommendation

  • Deploy the Sigma rule "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" to your SIEM solution to detect attacker enumeration for privilege escalation.
  • Ensure process creation logging, especially for wmic.exe, is enabled and properly configured on all Windows endpoints to provide the necessary telemetry for this rule.
  • Regularly audit Windows service configurations for unquoted paths and remediate them by ensuring all service executable paths are properly enclosed in double quotes.

Detection coverage 1

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE

medium

Detects attacker enumeration for unquoted service paths using wmic.exe, a common reconnaissance step for privilege escalation.

sigma tactics: discovery, execution techniques: T1047, T1082 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →