Suspicious WMIC XSL Script Execution

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting
 11libraries it may be indicative of an allowlist bypass.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-endpoint.events.library-*",
 18    "logs-windows.sysmon_operational-*",
 19]
 20language = "eql"
 21license = "Elastic License v2"
 22name = "Suspicious WMIC XSL Script Execution"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating Suspicious WMIC XSL Script Execution
 29
 30Windows Management Instrumentation Command-line (WMIC) is a powerful tool for managing Windows systems. Adversaries exploit WMIC to bypass security measures by executing scripts via XSL files, often loading scripting libraries like jscript.dll or vbscript.dll. The detection rule identifies such suspicious activities by monitoring WMIC executions with atypical arguments and the loading of specific libraries, indicating potential misuse for defense evasion.
 31
 32### Possible investigation steps
 33
 34- Review the process execution details to confirm the presence of WMIC.exe or wmic.exe with suspicious arguments such as "format*:*", "/format*:*", or "*-format*:*" that deviate from typical usage patterns.
 35- Examine the command line used in the process execution to identify any unusual or unexpected parameters that could indicate malicious intent, excluding known benign patterns like "* /format:table *".
 36- Investigate the sequence of events to determine if there was a library or process event involving the loading of jscript.dll or vbscript.dll, which may suggest script execution through XSL files.
 37- Correlate the process.entity_id with other related events within the 2-minute window to identify any additional suspicious activities or processes that may have been spawned as a result of the initial execution.
 38- Check the parent process of the suspicious WMIC execution to understand the context and origin of the activity, which may provide insights into whether it was initiated by a legitimate application or a potentially malicious actor.
 39- Analyze the host's recent activity and security logs for any other indicators of compromise or related suspicious behavior that could be part of a broader attack campaign.
 40
 41### False positive analysis
 42
 43- Legitimate administrative tasks using WMIC with custom scripts may trigger alerts. Review the command line arguments and context to determine if the execution is part of routine system management.
 44- Automated scripts or software updates that utilize WMIC for legitimate purposes might load scripting libraries like jscript.dll or vbscript.dll. Identify these processes and consider adding them to an allowlist to prevent future false positives.
 45- Security tools or monitoring solutions that use WMIC for system checks can be mistaken for suspicious activity. Verify the source and purpose of the execution and exclude these known tools from triggering alerts.
 46- Scheduled tasks or maintenance scripts that use WMIC with non-standard arguments could be flagged. Document these tasks and create exceptions for their specific command line patterns to reduce noise.
 47- Custom applications developed in-house that rely on WMIC for functionality may inadvertently match the detection criteria. Work with development teams to understand these applications and adjust the detection rule to accommodate their legitimate use cases.
 48
 49### Response and remediation
 50
 51- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
 52- Terminate any suspicious WMIC processes identified by the alert to stop ongoing malicious script execution.
 53- Conduct a thorough review of the system's recent activity logs to identify any additional indicators of compromise or related malicious activities.
 54- Remove any unauthorized or suspicious XSL files and associated scripts from the system to prevent re-execution.
 55- Restore the system from a known good backup if any critical system files or configurations have been altered.
 56- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 58risk_score = 47
 59rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Defense Evasion",
 66    "Tactic: Execution",
 67    "Data Source: Elastic Defend",
 68    "Data Source: Sysmon",
 69    "Resources: Investigation Guide",
 70]
 71type = "eql"
 72
 73query = '''
 74sequence by process.entity_id with maxspan = 2m
 75[process where host.os.type == "windows" and event.type == "start" and
 76   (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and
 77   process.args : ("format*:*", "/format*:*", "*-format*:*") and
 78   not process.command_line : ("* /format:table *", "* /format:table")]
 79[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
 80 (?dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))]
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1220"
 88name = "XSL Script Processing"
 89reference = "https://attack.mitre.org/techniques/T1220/"
 90
 91
 92[rule.threat.tactic]
 93id = "TA0005"
 94name = "Defense Evasion"
 95reference = "https://attack.mitre.org/tactics/TA0005/"
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1047"
100name = "Windows Management Instrumentation"
101reference = "https://attack.mitre.org/techniques/T1047/"
102
103
104[rule.threat.tactic]
105id = "TA0002"
106name = "Execution"
107reference = "https://attack.mitre.org/tactics/TA0002/"