Techniques
Sample rules
WMIC Loading Scripting Libraries
- source: sigma
- technicques:
- t1220
Description
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \jscript.dll
- \vbscript.dll
Image|endswith: \wmic.exe