legitimate event consumers

t1546
t1546.003
windows
sigma

Techniques

t1546
t1546.003

Sample rules

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

source: sigma
technicques:
- t1546
- t1546.003

Description

Detects signs of the WMI script host process “scrcons.exe” loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \vbscript.dll
  - \wbemdisp.dll
  - \wshom.ocx
  - \scrrun.dll
  Image|endswith: \scrcons.exe

WMI Persistence - Script Event Consumer

source: sigma
technicques:
- t1546
- t1546.003

Description

Detects WMI script event consumers

Detection logic

condition: selection
selection:
  Image: C:\WINDOWS\system32\wbem\scrcons.exe
  ParentImage: C:\Windows\System32\svchost.exe