WMI Persistence - Script Event Consumer File Write
Detects file writes of WMI script event consumer
Sigma rule (View on GitHub)
1title: WMI Persistence - Script Event Consumer File Write
2id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
3status: test
4description: Detects file writes of WMI script event consumer
5references:
6 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7author: Thomas Patzke
8date: 2018/03/07
9modified: 2021/11/27
10tags:
11 - attack.t1546.003
12 - attack.persistence
13logsource:
14 product: windows
15 category: file_event
16detection:
17 selection:
18 Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
19 condition: selection
20falsepositives:
21 - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
22level: high
References
Related rules
- Suspicious desktop.ini Action
- HybridConnectionManager Service Installation
- Persistence and Execution at Scale via GPO Scheduled Task
- Remote Service Activity via SVCCTL Named Pipe
- Remote Task Creation via ATSVC Named Pipe