WMI Persistence - Script Event Consumer
Detects the execution of a script event consumer. When scrcons.exe launches, it does so in response to the creation of an ActiveScriptEventConsumer instance and will execute registered JScript or VBScript code as a result. Script event consumers are a built-in Windows Management Instrumentation (WMI) class that automatically executes a predefined script (in VBScript or JScript) whenever a specific system event occurs. Adversaries often abuse script event consumers to maintain persistence on a compromised host by executing a malicious script whenever a specific event occurs.
Sigma rule (View on GitHub)
1title: WMI Persistence - Script Event Consumer
2id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
3status: test
4description: |
5 Detects the execution of a script event consumer. When scrcons.exe launches, it does so in response to the creation of an ActiveScriptEventConsumer instance
6 and will execute registered JScript or VBScript code as a result.
7 Script event consumers are a built-in Windows Management Instrumentation (WMI) class that
8 automatically executes a predefined script (in VBScript or JScript) whenever a specific system event occurs.
9 Adversaries often abuse script event consumers to maintain persistence on a compromised host
10 by executing a malicious script whenever a specific event occurs.
11references:
12 - https://redcanary.com/blog/threat-detection/child-processes/
13 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
14author: Thomas Patzke
15date: 2018-03-07
16modified: 2022-10-11
17tags:
18 - attack.persistence
19 - attack.privilege-escalation
20 - attack.t1546.003
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection:
26 Image: C:\WINDOWS\system32\wbem\scrcons.exe
27 ParentImage: C:\Windows\System32\svchost.exe
28 condition: selection
29falsepositives:
30 - Legitimate event consumers
31 - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
32level: medium
References
Related rules
- NewActiveScriptEventConsumer Creation Attempt via Wmic.EXE
- Suspicious Encoded Scripts in a WMI Consumer
- Powershell WMI Persistence
- WMI Backdoor Exchange Transport Agent
- WMI Event Subscription