WMI Persistence - Script Event Consumer
Detects WMI script event consumers
Sigma rule (View on GitHub)
1title: WMI Persistence - Script Event Consumer
2id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
3status: test
4description: Detects WMI script event consumers
5references:
6 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7author: Thomas Patzke
8date: 2018-03-07
9modified: 2022-10-11
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1546.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image: C:\WINDOWS\system32\wbem\scrcons.exe
20 ParentImage: C:\Windows\System32\svchost.exe
21 condition: selection
22falsepositives:
23 - Legitimate event consumers
24 - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
25level: medium
References
Related rules
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- WMI Persistence
- WMI Persistence - Security
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS