WMIC Loading Scripting Libraries (06ce37c2-61ab-4f05-9ff5-b1a96d18ae32)
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).
It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| WMIC Loading Scripting Libraries (06ce37c2-61ab-4f05-9ff5-b1a96d18ae32) | Sigma-Rules | XSL Script Processing - T1220 (ebbe170d-aa74-4946-8511-9921243415a3) | Attack Pattern | 1 |