SigmaHQ/rules/windows/builtin/SquiblyTwo.yar

title: SquiblyTwo  
status: experimental
description: Detects WMI SquiblyTwo Attack
references:
    - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html 
author: Markus Neis 
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image:
            - '*\wmic.exe'
        CommandLine:
            - 'wmic * /format:\"http*'
            - 'wmic * /format:\'http'
            - 'wmic * /format:http'
    condition: 1 of selection
falsepositives:
    - Unknown 
level: medium
added SquiblyTwo Detection 2018-04-17 19:33:26 +00:00			`title: SquiblyTwo`
			`status: experimental`
			`description: Detects WMI SquiblyTwo Attack`
			`references:`
			`- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html`
			`author: Markus Neis`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 1`
			`Image:`
			`- '*\wmic.exe'`
			`CommandLine:`
Extended rule 2018-04-18 10:13:45 +00:00			`- 'wmic * /format:\"http*'`
			`- 'wmic * /format:\'http'`
			`- 'wmic * /format:http'`
added SquiblyTwo Detection 2018-04-17 19:33:26 +00:00			`condition: 1 of selection`
			`falsepositives:`
			`- Unknown`
			`level: medium`