WMI Persistence - Script Event Consumer File Write

Oct 26, 2022 · attack.t1546.003 attack.persistence ·

Detects file writes of WMI script event consumer

Sigma rule (View on GitHub)

 1title: WMI Persistence - Script Event Consumer File Write
 2id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
 3status: test
 4description: Detects file writes of WMI script event consumer
 5references:
 6    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 7author: Thomas Patzke
 8date: 2018/03/07
 9modified: 2021/11/27
10tags:
11    - attack.t1546.003
12    - attack.persistence
13logsource:
14    product: windows
15    category: file_event
16detection:
17    selection:
18        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
19    condition: selection
20falsepositives:
21    - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
22level: high

References

Tales of a Threat Hunter 2

Following the trace of WMI Backdoors & other nastiness

Read More

Related rules

Suspicious desktop.ini Action
HybridConnectionManager Service Installation
Persistence and Execution at Scale via GPO Scheduled Task
Remote Service Activity via SVCCTL Named Pipe
Remote Task Creation via ATSVC Named Pipe

WMI Persistence - Script Event Consumer File Write

Sigma rule (View on GitHub)

References

Tales of a Threat Hunter 2

Related rules