Techniques
Sample rules
XSL Script Execution Via WMIC.EXE
- source: sigma
- technicques:
- t1047
- t1059
- t1059.005
- t1059.007
- t1220
Description
Detects the execution of WMIC with the “format” flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_known_format:
CommandLine|contains:
- Format:List
- Format:htable
- Format:hform
- Format:table
- Format:mof
- Format:value
- Format:rawxml
- Format:xml
- Format:csv
filter_main_remote_operation:
CommandLine|contains:
- ://
- \\\\
selection_cmd:
CommandLine|contains|windash: '-format:'
selection_img:
- Image|endswith: \wmic.exe
- OriginalFileName: wmic.exe
- Hashes|contains:
- IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
- IMPHASH=37777A96245A3C74EB217308F3546F4C
- IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
- IMPHASH=B12619881D79C3ACADF45E752A58554A
- IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00