WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Sigma rule (View on GitHub)

 1title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
 2id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
 3status: test
 4description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
 5references:
 6    - https://twitter.com/HunterPlaybook/status/1301207718355759107
 7    - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
 8    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
 9author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
10date: 2020-09-02
11modified: 2023-02-22
12tags:
13    - attack.lateral-movement
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.t1546.003
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\scrcons.exe'
23        ImageLoaded|endswith:
24            - '\vbscript.dll'
25            - '\wbemdisp.dll'
26            - '\wshom.ocx'
27            - '\scrrun.dll'
28    condition: selection
29falsepositives:
30    - Legitimate event consumers
31    - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
32level: medium

References

Related rules

to-top