Suspicious WMIC XSL Script Execution
Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting
13libraries it may be indicative of an allowlist bypass.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious WMIC XSL Script Execution"
20risk_score = 47
21rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence by process.entity_id with maxspan = 2m
28[process where host.os.type == "windows" and event.type == "start" and
29 (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
30 process.args : ("format*:*", "/format*:*", "*-format*:*") and
31 not process.command_line : "* /format:table *"]
32[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
33 (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))]
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1220"
41name = "XSL Script Processing"
42reference = "https://attack.mitre.org/techniques/T1220/"
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools