LoFP LoFP / legitimate software creating script event consumers

Techniques

Sample rules

New ActiveScriptEventConsumer Created Via Wmic.EXE

Description

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ActiveScriptEventConsumer
  - ' CREATE '