WMIC Loading Scripting Libraries (06ce37c2-61ab-4f05-9ff5-b1a96d18ae32)
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| XSL Script Processing - T1220 (ebbe170d-aa74-4946-8511-9921243415a3) | Attack Pattern | WMIC Loading Scripting Libraries (06ce37c2-61ab-4f05-9ff5-b1a96d18ae32) | Sigma-Rules | 1 |