sccm | LoFP

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml>sigma
technicques: t1546 t1546.003

Techniques

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

condition: selection and not filter
filter:
  TargetLogonId: '0x3e7'
selection:
  EventID: 4624
  LogonType: 3
  ProcessName|endswith: scrcons.exe