Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
Sigma rule (View on GitHub)
1title: Potential Remote SquiblyTwo Technique Execution
2id: 8d63dadf-b91b-4187-87b6-34a1114577ea
3related:
4 - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
5 type: similar
6 - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
7 type: similar
8status: test
9description: |
10 Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
11 to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
12 malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
13 The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
14 with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
15 LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
16references:
17 - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
18 - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
19 - https://atomicredteam.io/defense-evasion/T1220/
20 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
21 - https://x.com/byrne_emmy12099/status/1932346420226658668
22author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
23date: 2019-01-16
24modified: 2026-01-24
25tags:
26 - attack.defense-evasion
27 - attack.t1047
28 - attack.t1220
29 - attack.execution
30 - attack.t1059.005
31 - attack.t1059.007
32logsource:
33 category: process_creation
34 product: windows
35detection:
36 selection_pe:
37 - Image|endswith: '\wmic.exe'
38 - OriginalFileName: 'wmic.exe'
39 - Hashes|contains: # Sysmon field hashes contains all types
40 - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
41 - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
42 - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
43 - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
44 - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
45 selection_cli:
46 CommandLine|contains|windash: '/format:'
47 CommandLine|contains:
48 - '://'
49 - '\\\\'
50 condition: all of selection_*
51falsepositives:
52 - Unknown
53level: high
References
-
tl;dr WMIC can invoke XSL (eXtensible Stylesheet Language) scripts, either locally or from a URL. Local File wmic process list /FO...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
-
Wmic.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- XSL Script Execution Via WMIC.EXE
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- HackTool - CACTUSTORCH Remote Thread Creation
- Csc.EXE Execution Form Potentially Suspicious Parent