Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Sigma rule (View on GitHub)
1title: Suspicious Encoded Scripts in a WMI Consumer
2id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
3status: test
4description: Detects suspicious encoded payloads in WMI Event Consumers
5references:
6 - https://github.com/RiccardoAncarani/LiquidSnake
7author: Florian Roth (Nextron Systems)
8date: 2021-09-01
9modified: 2022-10-09
10tags:
11 - attack.privilege-escalation
12 - attack.execution
13 - attack.t1047
14 - attack.persistence
15 - attack.t1546.003
16logsource:
17 product: windows
18 category: wmi_event
19detection:
20 selection_destination:
21 Destination|base64offset|contains:
22 - 'WriteProcessMemory'
23 - 'This program cannot be run in DOS mode'
24 - 'This program must be run under Win32'
25 condition: selection_destination
26fields:
27 - User
28 - Operation
29falsepositives:
30 - Unknown
31level: high
References
-
LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript - RiccardoAncarani/LiquidSnake
Read More
Related rules
- HackTool - CrackMapExec Execution Patterns
- MITRE BZAR Indicators for Execution
- Password Set to Never Expire via WMI
- Suspicious Autorun Registry Modified via WMI
- HackTool - CrackMapExec Execution