title: WMI Persistence - Script Event Consumer
author: Thomas Patzke
date: 2018/03/07
description: Detects WMI script event consumers
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        Image: C:\WINDOWS\system32\wbem\scrcons.exe
    SELECTION_3:
        ParentImage: C:\Windows\System32\svchost.exe
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate event consumers
id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
level: high
logsource:
    category: process_creation
    product: windows
modified: 2020/08/29
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.003
- attack.t1047
yml_filename: win_wmi_persistence_script_event_consumer.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation