LoFP
/
t1220
t1220
Title
Tags
false positives are limited as legitimate applications typically do not download files or xsl using wmic. filter as needed.
t1220
endpoint
splunk
false positives may occur in development or administrative environments where msxsl.exe is used for legitimate xml transformations. however, its use is uncommon in standard user activity and should be reviewed in most environments.
t1220
endpoint
splunk
msxsl is not installed by default and is deprecated, so unlikely on most systems.
t1220
windows
sigma
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
t1220
windows
sigma
static format arguments - https://petri.com/command-line-wmi-part-3
t1220
windows
sigma
the command wmic os get lastboottuptime loads vbscript.dll
t1220
windows
sigma
the command wmic os get locale loads vbscript.dll
t1220
windows
sigma
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.
t1220
windows
sigma
LoFP
/
t1220