WMI Persistence - Script Event Consumer

Detects the execution of a script event consumer. When scrcons.exe launches, it does so in response to the creation of an ActiveScriptEventConsumer instance and will execute registered JScript or VBScript code as a result. Script event consumers are a built-in Windows Management Instrumentation (WMI) class that automatically executes a predefined script (in VBScript or JScript) whenever a specific system event occurs. Adversaries often abuse script event consumers to maintain persistence on a compromised host by executing a malicious script whenever a specific event occurs.

Sigma rule (View on GitHub)

 1title: WMI Persistence - Script Event Consumer
 2id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
 3status: test
 4description: |
 5    Detects the execution of a script event consumer. When scrcons.exe launches, it does so in response to the creation of an ActiveScriptEventConsumer instance
 6    and will execute registered JScript or VBScript code as a result.
 7    Script event consumers are a built-in Windows Management Instrumentation (WMI) class that
 8    automatically executes a predefined script (in VBScript or JScript) whenever a specific system event occurs.
 9    Adversaries often abuse script event consumers to maintain persistence on a compromised host
10    by executing a malicious script whenever a specific event occurs.    
11references:
12    - https://redcanary.com/blog/threat-detection/child-processes/
13    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
14author: Thomas Patzke
15date: 2018-03-07
16modified: 2022-10-11
17tags:
18    - attack.persistence
19    - attack.privilege-escalation
20    - attack.t1546.003
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image: C:\WINDOWS\system32\wbem\scrcons.exe
27        ParentImage: C:\Windows\System32\svchost.exe
28    condition: selection
29falsepositives:
30    - Legitimate event consumers
31    - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
32level: medium

References

Related rules

to-top