The hypothesis is that an adversary is leveraging the WMI ActiveScriptEventConsumers to execute malicious scripts via the Scrcons.EXE DLL load, potentially establishing persistence or executing arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of WMI event consumers and mitigate advanced persistent threats.
Detection Rule
title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
status: test
description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
references:
- https://twitter.com/HunterPlaybook/status/1301207718355759107
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2023-02-22
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\scrcons.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\wbemdisp.dll'
- '\wshom.ocx'
- '\scrrun.dll'
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\scrcons.exe" and (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll")Scenario: Scheduled Task Using Scrcons.exe for Legitimate WMI Event Monitoring
Description: A scheduled task is configured to monitor system events using WMI and loads scrcons.exe as part of its execution.
Filter/Exclusion: Check the command line arguments for scrcons.exe to ensure it is associated with a known legitimate WMI event consumer (e.g., CommandLine: /E:Microsoft.Windows.EventLog).
Scenario: System Update or Patching Process Using Scrcons.exe
Description: During a system update or patching process, scrcons.exe is used to execute scripts that trigger WMI events as part of the update mechanism.
Filter/Exclusion: Filter events where the process is initiated by a known update tool (e.g., Windows Update, WSUS, or SCCM) or check for parent processes like svchost.exe or wuauserv.exe.
Scenario: Admin Task to Monitor System Events via WMI
Description: An administrator has created a custom script or tool to monitor system events using WMI, which involves loading scrcons.exe as part of the script execution.
Filter/Exclusion: Filter based on the user context (e.g., User: SYSTEM or User: Admin) and check for known admin tools (e.g., PowerShell, Task Scheduler, or WMIC).
Scenario: Legacy Application or Service Using Scrcons.exe for WMI Event Handling
Description: An older enterprise application or service relies on scrcons.exe to handle WMI events for compatibility or legacy functionality.
Filter/Exclusion: Check for known legacy applications or services (e.g., SQL Server, Exchange, or IIS) and verify if the process is initiated by those services.
**Scenario