Potential SquiblyTwo Technique Execution
Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
Sigma rule (View on GitHub)
1title: Potential SquiblyTwo Technique Execution
2id: 8d63dadf-b91b-4187-87b6-34a1114577ea
3status: test
4description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
5references:
6 - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
7 - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
8 - https://atomicredteam.io/defense-evasion/T1220/
9 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
10author: Markus Neis, Florian Roth
11date: 2019-01-16
12modified: 2024-11-23
13tags:
14 - attack.defense-evasion
15 - attack.t1047
16 - attack.t1220
17 - attack.execution
18 - attack.t1059.005
19 - attack.t1059.007
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_pe:
25 - Image|endswith: '\wmic.exe'
26 - OriginalFileName: 'wmic.exe'
27 - Hashes|contains: # Sysmon field hashes contains all types
28 - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
29 - IMPHASH=37777A96245A3C74EB217308F3546F4C
30 - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
31 selection_cli:
32 CommandLine|contains|all:
33 - 'format:'
34 - 'http'
35 condition: all of selection_*
36falsepositives:
37 - Unknown
38level: medium
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Csc.EXE Execution Form Potentially Suspicious Parent
- HackTool - CACTUSTORCH Remote Thread Creation
- Adwind RAT / JRAT