IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Suspicious WMI Image Load from MS Office Suspicious WerFault Child Process »

› › ›

Suspicious WMIC XSL Script Execution

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Suspicious WMIC XSL Script Execution

edit

Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of a whitelist bypass.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: medium

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

sequence by process.entity_id with maxspan=2m [process where
event.type in ("start", "process_started") and (process.name :
"WMIC.exe" or process.pe.original_file_name == "wmic.exe") and
wildcard(process.args, "format*:*", "/format*:*", "*-format*:*") and
not wildcard(process.command_line, "* /format:table *")] [library
where event.type == "start" and file.name in ("jscript.dll",
"vbscript.dll")]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: XSL Script Processing
- ID: T1220
- Reference URL: https://attack.mitre.org/techniques/T1220/

« Suspicious WMI Image Load from MS Office Suspicious WerFault Child Process »