Remote WMI ActiveScriptEventConsumers

calendarMay 2, 2023 · attack.lateral_movement attack.privilege_escalation attack.persistence attack.t1546.003  ·
Share on: linkedincopy

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Sigma rule (View on GitHub)

 1title: Remote WMI ActiveScriptEventConsumers
 2id: 9599c180-e3a8-4743-8f92-7fb96d3be648
 3status: test
 4description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2020/09/02
 9modified: 2021/11/27
10tags:
11    - attack.lateral_movement
12    - attack.privilege_escalation
13    - attack.persistence
14    - attack.t1546.003
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4624
21        LogonType: 3
22        ProcessName|endswith: 'scrcons.exe'
23    filter:
24        TargetLogonId: '0x3e7'
25    condition: selection and not filter
26falsepositives:
27    - SCCM
28level: high

Related rules

to-top