Potential SquiblyTwo Technique Execution

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Sigma rule (View on GitHub)

 1title: Potential SquiblyTwo Technique Execution
 2id: 8d63dadf-b91b-4187-87b6-34a1114577ea
 3status: test
 4description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
 5references:
 6    - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
 7    - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
 8    - https://atomicredteam.io/defense-evasion/T1220/
 9    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
10author: Markus Neis, Florian Roth
11date: 2019-01-16
12modified: 2024-11-23
13tags:
14    - attack.defense-evasion
15    - attack.t1047
16    - attack.t1220
17    - attack.execution
18    - attack.t1059.005
19    - attack.t1059.007
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_pe:
25        - Image|endswith: '\wmic.exe'
26        - OriginalFileName: 'wmic.exe'
27        - Hashes|contains:  # Sysmon field hashes contains all types
28              - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
29              - IMPHASH=37777A96245A3C74EB217308F3546F4C
30              - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
31    selection_cli:
32        CommandLine|contains|all:
33            - 'format:'
34            - 'http'
35    condition: all of selection_*
36falsepositives:
37    - Unknown
38level: medium

References

Related rules

to-top