Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Potential Remote WMI ActiveScriptEventConsumers Activity

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Wed Sep 02Updated Mon Sep 029599c180-e3a8-4743-8f92-7fb96d3be648windows
Hunting Hypothesis
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4624
        LogonType: 3
        ProcessName|endswith: 'scrcons.exe'
    filter_main_local_system:
        TargetLogonId: '0x3e7' # Local System
    condition: selection and not 1 of filter_main_*
False Positives

SCCM

References
1
Resolving title…
threathunterplaybook.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
9599c180-e3a8-4743-8f92-7fb96d3be648
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Sep 02
Modified
Mon Sep 02
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Path
rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml
Raw Tags
attack.lateral-movementattack.privilege-escalationdetection.threat-huntingattack.persistenceattack.t1546.003
View on GitHub