XSL Script Execution Via WMIC.EXE
Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
Sigma rule (View on GitHub)
1title: XSL Script Execution Via WMIC.EXE
2id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
3status: test
4description: |
5 Detects the execution of WMIC with the "format" flag to potentially load XSL files.
6 Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
7 Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
10author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
11date: 2019-10-21
12modified: 2024-03-05
13tags:
14 - attack.defense-evasion
15 - attack.t1220
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\wmic.exe'
22 CommandLine|contains|windash: '-format' # wmic process list -FORMAT /? or wmic process list /FORMAT /?
23 filter_main_known_format:
24 CommandLine|contains:
25 - 'Format:List'
26 - 'Format:htable'
27 - 'Format:hform'
28 - 'Format:table'
29 - 'Format:mof'
30 - 'Format:value'
31 - 'Format:rawxml'
32 - 'Format:xml'
33 - 'Format:csv'
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
37 - Static format arguments - https://petri.com/command-line-wmi-part-3
38level: medium
References
Related rules
- Msxsl.EXE Execution
- WMIC Loading Scripting Libraries
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType