WMI Persistence - Command Line Event Consumer
Detects WMI command line event consumers
Sigma rule (View on GitHub)
1title: WMI Persistence - Command Line Event Consumer
2id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
3status: test
4description: Detects WMI command line event consumers
5references:
6 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7author: Thomas Patzke
8date: 2018-03-07
9modified: 2021-11-27
10tags:
11 - attack.privilege-escalation
12 - attack.t1546.003
13 - attack.persistence
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
20 ImageLoaded|endswith: '\wbemcons.dll'
21 condition: selection
22falsepositives:
23 - Unknown (data set is too small; further testing needed)
24level: high
References
Related rules
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- Powershell WMI Persistence
- Suspicious Encoded Scripts in a WMI Consumer
- WMI Backdoor Exchange Transport Agent
- WMI Event Subscription