Detection rules › Sigma
WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1220 XSL Script Processing |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
Stages and Predicates
Stage 1: selection
or:
ImageLoaded|endswith: '\jscript.dll'
ImageLoaded|endswith: '\vbscript.dll'
Image|endswith: '\wmic.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
ImageLoaded | ends_with |
|