Detectionmediumtest

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Wed Sep 02Updated Wed Feb 22b439f47d-ef52-4b29-9a2f-57d8a96cb6b8windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\scrcons.exe'
        ImageLoaded|endswith:
            - '\vbscript.dll'
            - '\wbemdisp.dll'
            - '\wshom.ocx'
            - '\scrrun.dll'
    condition: selection

False Positives

Legitimate event consumers

Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button

References

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1546.003 · Windows Management Instrumentation Event Subscription