WMI Persistence - Script Event Consumer
Detects WMI script event consumers
Sigma rule (View on GitHub)
1title: WMI Persistence - Script Event Consumer
2id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
3status: test
4description: Detects WMI script event consumers
5references:
6 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
7author: Thomas Patzke
8date: 2018/03/07
9modified: 2022/10/11
10tags:
11 - attack.persistence
12 - attack.privilege_escalation
13 - attack.t1546.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image: C:\WINDOWS\system32\wbem\scrcons.exe
20 ParentImage: C:\Windows\System32\svchost.exe
21 condition: selection
22falsepositives:
23 - Legitimate event consumers
24 - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
25level: medium
References
Related rules
- WMI Persistence - Command Line Event Consumer
- Path To Screensaver Binary Modified
- WMI Persistence - Script Event Consumer File Write
- MacOS Emond Launch Daemon
- Startup Items