the command `wmic ntevent` loads vbscript.dll

t1220
windows
sigma

Techniques

t1220

Sample rules

WMIC Loading Scripting Libraries

source: sigma
technicques:
- t1220

Description

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \jscript.dll
  - \vbscript.dll
  Image|endswith: \wmic.exe