WMIC Loading Scripting Libraries

calendar Jun 26, 2023 · attack.defense_evasion attack.t1220  ·
Share on: linkedin copy

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Sigma rule (View on GitHub)

 1title: WMIC Loading Scripting Libraries
 2id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
 3status: test
 4description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
 5references:
 6    - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
 7    - https://twitter.com/dez_/status/986614411711442944
 8    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020/10/17
11modified: 2022/10/13
12tags:
13    - attack.defense_evasion
14    - attack.t1220
15logsource:
16    category: image_load
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\wmic.exe'
21        ImageLoaded|endswith:
22            - '\jscript.dll'
23            - '\vbscript.dll'
24    condition: selection
25falsepositives:
26    - The command wmic os get lastboottuptime loads vbscript.dll
27    - The command wmic os get locale loads vbscript.dll
28    - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
29level: medium

References

  • WMIC Remote XSL Jscript Execution — Security Datasets

    Dataset Description# This dataset represents adversaries proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL fi...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Wmic | LOLBAS

    Execute: WSH This LOLBAS executes scripts in Windows Script Host (WSH) languages, such as VBScript and JScript.


    Read More

Related rules

to-top