WMI Persistence - Script Event Consumer

Detects WMI script event consumers

Sigma rule (View on GitHub)

 1title: WMI Persistence - Script Event Consumer
 2id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
 3status: test
 4description: Detects WMI script event consumers
 5references:
 6    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 7author: Thomas Patzke
 8date: 2018/03/07
 9modified: 2022/10/11
10tags:
11    - attack.persistence
12    - attack.privilege_escalation
13    - attack.t1546.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image: C:\WINDOWS\system32\wbem\scrcons.exe
20        ParentImage: C:\Windows\System32\svchost.exe
21    condition: selection
22falsepositives:
23    - Legitimate event consumers
24    - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
25level: medium

References

Related rules

to-top