XSL Script Execution Via WMIC.EXE

calendar Jan 24, 2026 · attack.defense-evasion attack.t1047 attack.t1220 attack.execution attack.t1059.005 attack.t1059.007  ·
Share on: linkedin copy

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Sigma rule (View on GitHub)

 1title: XSL Script Execution Via WMIC.EXE
 2id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
 3related:
 4    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
 5      type: similar
 6    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea
 7      type: similar
 8status: test
 9description: |
10    Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
11    Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
12    Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.    
13references:
14    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
15author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
16date: 2019-10-21
17modified: 2026-01-24
18tags:
19    - attack.defense-evasion
20    - attack.t1047
21    - attack.t1220
22    - attack.execution
23    - attack.t1059.005
24    - attack.t1059.007
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection_img:
30        - Image|endswith: '\wmic.exe'
31        - OriginalFileName: 'wmic.exe'
32        - Hashes|contains:  # Sysmon field hashes contains all types
33              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
34              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
35              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
36              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
37              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
38    selection_cmd:
39        CommandLine|contains|windash: '-format:'     # wmic process list -FORMAT /? or wmic process list /FORMAT /?
40    filter_main_known_format:
41        CommandLine|contains:
42            - 'Format:List'
43            - 'Format:htable'
44            - 'Format:hform'
45            - 'Format:table'
46            - 'Format:mof'
47            - 'Format:value'
48            - 'Format:rawxml'
49            - 'Format:xml'
50            - 'Format:csv'
51    filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea
52        CommandLine|contains:
53            - '://'
54            - '\\\\'
55    condition: all of selection_* and not 1 of filter_main_*
56falsepositives:
57    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
58    - Static format arguments - https://petri.com/command-line-wmi-part-3
59level: medium

References

Related rules

to-top