Potential SquiblyTwo Technique Execution

calendar Oct 18, 2023 · attack.defense_evasion attack.t1047 attack.t1220 attack.execution attack.t1059.005 attack.t1059.007  ·
Share on: linkedin copy

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Sigma rule (View on GitHub)

 1title: Potential SquiblyTwo Technique Execution
 2id: 8d63dadf-b91b-4187-87b6-34a1114577ea
 3status: test
 4description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
 5references:
 6    - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
 7    - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
 8    - https://atomicredteam.io/defense-evasion/T1220/
 9    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
10author: Markus Neis, Florian Roth
11date: 2019/01/16
12modified: 2023/02/15
13tags:
14    - attack.defense_evasion
15    - attack.t1047
16    - attack.t1220
17    - attack.execution
18    - attack.t1059.005
19    - attack.t1059.007
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_pe:
25        - Image|endswith: '\wmic.exe'
26        - OriginalFileName: 'wmic.exe'
27        - Imphash:
28              - 1B1A3F43BF37B5BFE60751F2EE2F326E
29              - 37777A96245A3C74EB217308F3546F4C
30              - 9D87C9D67CE724033C0B40CC4CA1B206
31        - Hashes|contains:  # Sysmon field hashes contains all types
32              - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
33              - IMPHASH=37777A96245A3C74EB217308F3546F4C
34              - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
35    selection_cli:
36        CommandLine|contains|all:
37            - 'format:'
38            - 'http'
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: medium

References

Related rules

to-top