Remote WMI ActiveScriptEventConsumers
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
Sigma rule (View on GitHub)
1title: Remote WMI ActiveScriptEventConsumers
2id: 9599c180-e3a8-4743-8f92-7fb96d3be648
3status: test
4description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
5references:
6 - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8date: 2020/09/02
9modified: 2021/11/27
10tags:
11 - attack.lateral_movement
12 - attack.privilege_escalation
13 - attack.persistence
14 - attack.t1546.003
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4624
21 LogonType: 3
22 ProcessName|endswith: 'scrcons.exe'
23 filter:
24 TargetLogonId: '0x3e7'
25 condition: selection and not filter
26falsepositives:
27 - SCCM
28level: high
References
-
Offensive Tradecraft Threat actors can achieve remote code execution by using WMI event subscriptions. Normally, a permanent WMI event subscription is designed to persist and respond to certain eve...
Read More
Related rules
- WMI Persistence - Security
- WMI Persistence - Script Event Consumer
- Failed Logins with Different Accounts from Single Source System
- Failed NTLM Logins with Different Accounts from Single Source System
- Malicious Service Installations