the command `wmic ntevent` loads vbscript.dll

t1220
windows
sigma

Techniques

t1220

Sample rules

WMIC Loading Scripting Libraries

source: sigma
technicques:
- t1220

Description

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \jscript.dll
  - \vbscript.dll
  Image|endswith: \wmic.exe