title: Remote WMI ActiveScriptEventConsumers
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/09/02
description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers
    remotely to move laterally in a network
detection:
    SELECTION_1:
        EventID: 4624
    SELECTION_2:
        LogonType: 3
    SELECTION_3:
        ProcessName: '*scrcons.exe'
    SELECTION_4:
        TargetLogonId: '0x3e7'
    condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
falsepositives:
- SCCM
id: 9599c180-e3a8-4743-8f92-7fb96d3be648
level: high
logsource:
    product: windows
    service: security
references:
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
status: experimental
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.persistence
- attack.t1546.003
yml_filename: win_scrcons_remote_wmi_scripteventconsumer.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin