Adversaries may use WMI script event consumers to establish persistence by writing malicious scripts that execute on system events. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and command and control mechanisms.
Detection Rule
title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: test
description: Detects file writes of WMI script event consumer
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
condition: selection
falsepositives:
- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
level: high
imFileEvent
| where TargetFilePath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe"Scenario: Scheduled Task Creation via Task Scheduler
Description: An administrator creates a scheduled task using the Task Scheduler GUI or PowerShell, which involves writing to the WMI script event consumer.
Filter/Exclusion: process.name == "schtasks.exe" OR process.name == "powershell.exe" AND process.args LIKE '%CreateTask%'
Scenario: Windows Update or Group Policy Deployment
Description: Windows Update or Group Policy settings may trigger file writes to WMI script event consumers during system configuration or policy application.
Filter/Exclusion: process.name == "wuauserv.exe" OR process.name == "gpupdate.exe" OR process.name == "svchost.exe" AND image.loaded_module.name == "Policy.dll"
Scenario: System File Integrity Check (SFIC) or DISM Repair
Description: System file checks or DISM operations may modify WMI script event consumer files as part of system repair or integrity maintenance.
Filter/Exclusion: process.name == "dism.exe" OR process.name == "sfc.exe" OR process.name == "system32\msiexec.exe" AND process.args LIKE '%DISM%'
Scenario: Administrative Script Deployment via PowerShell
Description: An admin deploys a script using PowerShell that interacts with WMI to configure event consumers, such as for monitoring system events.
Filter/Exclusion: process.name == "powershell.exe" AND process.args LIKE '%Register-WmiEvent%' OR process.args LIKE '%New-WmiEventConsumer%'
Scenario: WMI Event Consumer Configuration via Local Group Policy
Description: An administrator configures WMI event consumers through the Local Group Policy Editor, which may result in file writes to the WMI script event consumer.
Filter/Exclusion: