Techniques
Sample rules
Remote WMI ActiveScriptEventConsumers
- source: sigma
- technicques:
- t1546
- t1546.003
Description
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
Detection logic
condition: selection and not filter
filter:
TargetLogonId: '0x3e7'
selection:
EventID: 4624
LogonType: 3
ProcessName|endswith: scrcons.exe