NewActiveScriptEventConsumer Creation Attempt via Wmic.EXE

Detects the attempt to create an ActiveScriptEventConsumer via WMIC.EXE. An ActiveScriptEventConsumer is a built-in Windows Management Instrumentation (WMI) class that automatically executes a predefined script (in VBScript or JScript) whenever a specific system event occurs. Adversaries often abuse ActiveScriptEventConsumer to maintain persistence on a compromised host by executing a malicious script whenever a specific event occurs.

Sigma rule (View on GitHub)

 1title: NewActiveScriptEventConsumer Creation Attempt via Wmic.EXE
 2id: ebef4391-1a81-4761-a40a-1db446c0e625
 3status: test
 4description: |
 5    Detects the attempt to create an ActiveScriptEventConsumer via WMIC.EXE.
 6    An ActiveScriptEventConsumer is a built-in Windows Management Instrumentation (WMI) class that
 7    automatically executes a predefined script (in VBScript or JScript) whenever a specific system event occurs.
 8    Adversaries often abuse ActiveScriptEventConsumer to maintain persistence on a compromised host by executing a malicious script whenever a specific event occurs.    
 9references:
10    - https://twitter.com/johnlatwc/status/1408062131321270282?s=12
11    - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
12author: Florian Roth (Nextron Systems)
13date: 2021-06-25
14modified: 2026-06-19
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1546.003
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - OriginalFileName: 'wmic.exe'
25        - Image|endswith: '\WMIC.exe'
26    selection_cli:
27        CommandLine|contains|all:
28            - 'ActiveScriptEventConsumer'
29            - ' CREATE '
30    condition: all of selection_*
31falsepositives:
32    - Legitimate software creating script event consumers
33level: high

References

Related rules

to-top