dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button

t1546
t1546.003
windows
sigma

Techniques

t1546
t1546.003

Sample rules

WMI Persistence - Script Event Consumer

source: sigma
technicques:
- t1546
- t1546.003

Description

Detects WMI script event consumers

Detection logic

condition: selection
selection:
  Image: C:\WINDOWS\system32\wbem\scrcons.exe
  ParentImage: C:\Windows\System32\svchost.exe

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

source: sigma
technicques:
- t1546
- t1546.003

Description

Detects signs of the WMI script host process “scrcons.exe” loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \vbscript.dll
  - \wbemdisp.dll
  - \wshom.ocx
  - \scrrun.dll
  Image|endswith: \scrcons.exe