WMI Persistence - Script Event Consumer File Write
Detects file writes of WMI script event consumer
Sigma rule (View on GitHub)
1title: WMI Persistence - Script Event Consumer File Write
2id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
3status: test
4description: Detects file writes of WMI script event consumer
5references:
6 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7author: Thomas Patzke
8date: 2018-03-07
9modified: 2021-11-27
10tags:
11 - attack.t1546.003
12 - attack.persistence
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
19 condition: selection
20falsepositives:
21 - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
22level: high
References
Related rules
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- Suspicious Encoded Scripts in a WMI Consumer
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- WMI Backdoor Exchange Transport Agent
- WMI Event Subscription