WMI Persistence - Command Line Event Consumer

Aug 12, 2024 · attack.t1546.003 attack.persistence ·

Detects WMI command line event consumers

Sigma rule (View on GitHub)

 1title: WMI Persistence - Command Line Event Consumer
 2id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
 3status: test
 4description: Detects WMI command line event consumers
 5references:
 6    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 7author: Thomas Patzke
 8date: 2018-03-07
 9modified: 2021-11-27
10tags:
11    - attack.t1546.003
12    - attack.persistence
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
19        ImageLoaded|endswith: '\wbemcons.dll'
20    condition: selection
21falsepositives:
22    - Unknown (data set is too small; further testing needed)
23level: high

References

Tales of a Threat Hunter 2

Following the trace of WMI Backdoors & other nastiness

Read More

Related rules

New ActiveScriptEventConsumer Created Via Wmic.EXE
Suspicious Encoded Scripts in a WMI Consumer
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
WMI Backdoor Exchange Transport Agent
WMI Event Subscription

WMI Persistence - Command Line Event Consumer

Sigma rule (View on GitHub)

References

Tales of a Threat Hunter 2

Related rules