Suspicious WMIC XSL Script Execution

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting
13libraries it may be indicative of an allowlist bypass.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-endpoint.events.library-*",
20    "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Suspicious WMIC XSL Script Execution"
25risk_score = 47
26rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6"
27severity = "medium"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33    "Tactic: Execution",
34    "Data Source: Elastic Defend",
35    "Data Source: Sysmon",
36]
37type = "eql"
38
39query = '''
40sequence by process.entity_id with maxspan = 2m
41[process where host.os.type == "windows" and event.type == "start" and
42   (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
43   process.args : ("format*:*", "/format*:*", "*-format*:*") and
44   not process.command_line : ("* /format:table *", "* /format:table")]
45[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
46 (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))]
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1220"
54name = "XSL Script Processing"
55reference = "https://attack.mitre.org/techniques/T1220/"
56
57
58[rule.threat.tactic]
59id = "TA0005"
60name = "Defense Evasion"
61reference = "https://attack.mitre.org/tactics/TA0005/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1047"
66name = "Windows Management Instrumentation"
67reference = "https://attack.mitre.org/techniques/T1047/"
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top