Techniques
Sample rules
WMI Persistence - Command Line Event Consumer
- source: sigma
- technicques:
- t1546
- t1546.003
Description
Detects WMI command line event consumers
Detection logic
condition: selection
selection:
Image: C:\Windows\System32\wbem\WmiPrvSE.exe
ImageLoaded|endswith: \wbemcons.dll
WMI Persistence - Security
- source: sigma
- technicques:
- t1546
- t1546.003
Description
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Detection logic
condition: selection
selection:
EventID: 4662
ObjectName|contains: subscription
ObjectType: WMI Namespace
WMI Persistence
- source: sigma
- technicques:
- t1546
- t1546.003
Description
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Detection logic
condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration)
) and not filter_scmevent
consumer_keywords:
- ActiveScriptEventConsumer
- CommandLineEventConsumer
- CommandLineTemplate
filter_scmevent:
PossibleCause: Permanent
Provider: SCM Event Provider
Query: select * from MSFT_SCMEventLogEvent
User: S-1-5-32-544
wmi_filter_registration:
EventID: 5859
wmi_filter_to_consumer_binding:
EventID: 5861