
Summary
This detection rule identifies potential allowlist bypass techniques in Windows Management Instrumentation Command-line (WMIC) executions that could indicate malicious activity. Specifically, it targets scenarios where WMIC is executed with suspicious script arguments while attempting to load scripting libraries like jscript.dll or vbscript.dll. The rule uses a sequence query that captures processes starting with WMIC while analyzing their command line arguments for deviations from standard usage patterns. WMIC allows adversaries to bypass security measures, and the specified parameters in the query suggest that such misuse may be at play, thereby warranting investigation. The rule leverages various logs and indices, including winlogbeat and sysmon event logs, to monitor for relevant activity, triggering alerts when certain conditions are met. Given the risk score of 47 (medium severity), it emphasizes the importance of systematic checks and validations during triage and investigation, especially in differentiating between legitimate administrative actions and potential breaches. The rule is designed to complement broader security strategies by facilitating proactive monitoring and effective response to possible threats through well-defined investigation guidelines.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Application Log
- Windows Registry
- Script
- WMI
ATT&CK Techniques
- T1220
- T1047
Created: 2020-09-02