title: Suspicious Scripting in a WMI Consumer
author: Florian Roth, Jonhnathan Ribeiro
date: 2019/04/15
description: Detects suspicious scripting in WMI Event Consumers
detection:
  SELECTION_1:
    EventID: 19
  SELECTION_10:
    Destination:
    - '* iex(*'
    - '*WScript.shell*'
    - '* -nop *'
    - '* -noprofile *'
    - '* -decode *'
    - '* -enc *'
  SELECTION_11:
    Destination:
    - '*WScript.Shell*'
    - '*System.Security.Cryptography.FromBase64Transform*'
  SELECTION_2:
    EventID: 20
  SELECTION_3:
    EventID: 21
  SELECTION_4:
    Destination: '*new-object*'
  SELECTION_5:
    Destination: '*net.webclient*'
  SELECTION_6:
    Destination: '*.downloadstring*'
  SELECTION_7:
    Destination: '*new-object*'
  SELECTION_8:
    Destination: '*net.webclient*'
  SELECTION_9:
    Destination: '*.downloadfile*'
  condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and ((SELECTION_4 and SELECTION_5
    and SELECTION_6) or (SELECTION_7 and SELECTION_8 and SELECTION_9) or SELECTION_10
    or SELECTION_11))
falsepositives:
- Administrative scripts
fields:
- User
- Operation
id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
level: high
logsource:
  category: wmi_event
  product: windows
modified: 2021/09/01
references:
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19
- https://github.com/RiccardoAncarani/LiquidSnake
status: experimental
tags:
- attack.t1086
- attack.execution
- attack.t1059.005
ruletype: SIGMA