Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
high
Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
status test author Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems) id 8d63dadf-b91b-4187-87b6-34a1114577ea
view Sigma YAML 
title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
      type: similar
    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
      type: similar
status: test
description: |
    Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
    to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
    malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
    The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
    with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
    LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
    - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
    - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
    - https://atomicredteam.io/defense-evasion/T1220/
    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
    - https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
    - attack.stealth
    - attack.t1047
    - attack.t1220
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cli:
        CommandLine|contains|windash: '/format:'
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
status test author Swachchhanda Shrawan Poudel id 75d0a94e-6252-448d-a7be-d953dff527bb
view Sigma YAML 
title: Remote XSL Execution Via Msxsl.EXE
id: 75d0a94e-6252-448d-a7be-d953dff527bb
status: test
description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msxsl.exe'
        CommandLine|contains: 'http'
    condition: selection
falsepositives:
    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
level: high
medium
Msxsl.EXE Execution
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
status test author Timur Zinniatullin, oscd.community id 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
view Sigma YAML 
title: Msxsl.EXE Execution
id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
status: test
description: |
    Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
    Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msxsl.exe'
    condition: selection
falsepositives:
    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition
level: medium
medium
WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
view Sigma YAML 
title: WMIC Loading Scripting Libraries
id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
related:
    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea
      type: similar
    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
      type: similar
status: test
description: |
    Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
    It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
references:
    - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
    - https://twitter.com/dez_/status/986614411711442944
    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-17
modified: 2022-10-13
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\wmic.exe'
        ImageLoaded|endswith:
            - '\jscript.dll'
            - '\vbscript.dll'
    condition: selection
falsepositives:
    - The command wmic os get lastbootuptime loads vbscript.dll
    - The command wmic os get locale loads vbscript.dll
    - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
    - The command `wmic ntevent` loads vbscript.dll
level: medium
medium
XSL Script Execution Via WMIC.EXE
Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
status test author Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel id 05c36dd6-79d6-4a9a-97da-3db20298ab2d
view Sigma YAML 
title: XSL Script Execution Via WMIC.EXE
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
related:
    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
      type: similar
    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea
      type: similar
status: test
description: |
    Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
    Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
    Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-10-21
modified: 2026-01-24
tags:
    - attack.stealth
    - attack.t1047
    - attack.t1220
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cmd:
        CommandLine|contains|windash: '-format:'     # wmic process list -FORMAT /? or wmic process list /FORMAT /?
    filter_main_known_format:
        CommandLine|contains:
            - 'Format:List'
            - 'Format:htable'
            - 'Format:hform'
            - 'Format:table'
            - 'Format:mof'
            - 'Format:value'
            - 'Format:rawxml'
            - 'Format:xml'
            - 'Format:csv'
    filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
    - Static format arguments - https://petri.com/command-line-wmi-part-3
level: medium
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin