WMI Persistence - Script Event Consumer File Write

Oct 23, 2025 · attack.privilege-escalation attack.t1546.003 attack.persistence ·

Detects file writes of WMI script event consumer

Sigma rule (View on GitHub)

 1title: WMI Persistence - Script Event Consumer File Write
 2id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
 3status: test
 4description: Detects file writes of WMI script event consumer
 5references:
 6    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 7author: Thomas Patzke
 8date: 2018-03-07
 9modified: 2021-11-27
10tags:
11    - attack.privilege-escalation
12    - attack.t1546.003
13    - attack.persistence
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
20    condition: selection
21falsepositives:
22    - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
23level: high

References

Tales of a Threat Hunter 2

Following the trace of WMI Backdoors & other nastiness

Read More

WMI Persistence - Script Event Consumer File Write

Sigma rule (View on GitHub)

References

Tales of a Threat Hunter 2

Related rules