WMI Persistence - Command Line Event Consumer

Oct 26, 2022 · attack.t1546.003 attack.persistence ·

Detects WMI command line event consumers

Sigma rule (View on GitHub)

 1title: WMI Persistence - Command Line Event Consumer
 2id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
 3status: test
 4description: Detects WMI command line event consumers
 5references:
 6    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 7author: Thomas Patzke
 8date: 2018/03/07
 9modified: 2021/11/27
10tags:
11    - attack.t1546.003
12    - attack.persistence
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
19        ImageLoaded|endswith: '\wbemcons.dll'
20    condition: selection
21falsepositives:
22    - Unknown (data set is too small; further testing needed)
23level: high

References

Tales of a Threat Hunter 2

Following the trace of WMI Backdoors & other nastiness

Read More

Related rules

WMI Persistence - Script Event Consumer File Write
New DLL Added to AppCertDlls Registry Key
Path To Screensaver Binary Modified
WINEKEY Registry Modification
Suspicious desktop.ini Action

WMI Persistence - Command Line Event Consumer

Sigma rule (View on GitHub)

References

Tales of a Threat Hunter 2

Related rules