Suspicious WMIC XSL Script Execution
Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting
11libraries it may be indicative of an allowlist bypass.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-endpoint.events.library-*",
18 "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Suspicious WMIC XSL Script Execution"
23risk_score = 47
24rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Defense Evasion",
31 "Tactic: Execution",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon",
34]
35type = "eql"
36
37query = '''
38sequence by process.entity_id with maxspan = 2m
39[process where host.os.type == "windows" and event.type == "start" and
40 (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
41 process.args : ("format*:*", "/format*:*", "*-format*:*") and
42 not process.command_line : ("* /format:table *", "* /format:table")]
43[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
44 (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))]
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1220"
52name = "XSL Script Processing"
53reference = "https://attack.mitre.org/techniques/T1220/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1047"
64name = "Windows Management Instrumentation"
65reference = "https://attack.mitre.org/techniques/T1047/"
66
67
68[rule.threat.tactic]
69id = "TA0002"
70name = "Execution"
71reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Microsoft Build Engine Using an Alternate Name
- Network Connection via Registration Utility
- Persistence via Hidden Run Key Detected