WMIC Loading Scripting Libraries

calendar Aug 12, 2024 · attack.defense-evasion attack.t1220  ·
Share on: linkedin copy

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Sigma rule (View on GitHub)

 1title: WMIC Loading Scripting Libraries
 2id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
 3status: test
 4description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
 5references:
 6    - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
 7    - https://twitter.com/dez_/status/986614411711442944
 8    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020-10-17
11modified: 2022-10-13
12tags:
13    - attack.defense-evasion
14    - attack.t1220
15logsource:
16    category: image_load
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\wmic.exe'
21        ImageLoaded|endswith:
22            - '\jscript.dll'
23            - '\vbscript.dll'
24    condition: selection
25falsepositives:
26    - The command wmic os get lastboottuptime loads vbscript.dll
27    - The command wmic os get locale loads vbscript.dll
28    - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
29level: medium

References

Related rules

to-top