Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Sigma rule (View on GitHub)
1title: Suspicious Encoded Scripts in a WMI Consumer
2id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
3status: test
4description: Detects suspicious encoded payloads in WMI Event Consumers
5references:
6 - https://github.com/RiccardoAncarani/LiquidSnake
7author: Florian Roth (Nextron Systems)
8date: 2021/09/01
9modified: 2022/10/09
10tags:
11 - attack.execution
12 - attack.t1047
13 - attack.persistence
14 - attack.t1546.003
15logsource:
16 product: windows
17 category: wmi_event
18detection:
19 selection_destination:
20 Destination|base64offset|contains:
21 - 'WriteProcessMemory'
22 - 'This program cannot be run in DOS mode'
23 - 'This program must be run under Win32'
24 condition: selection_destination
25fields:
26 - User
27 - Operation
28falsepositives:
29 - Unknown
30level: high
References
-
LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript - RiccardoAncarani/LiquidSnake
Read More
Related rules
- DLL Load via LSASS
- Suspicious Scheduled Task Write to System32 Tasks
- WMI Persistence - Security
- Scheduled task executing powershell encoded payload from registry
- MOFComp Execution