← Back to Explore
sigmahighHunting
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Detection Query
selection_destination:
Destination|base64offset|contains:
- WriteProcessMemory
- This program cannot be run in DOS mode
- This program must be run under Win32
condition: selection_destination
Author
Florian Roth (Nextron Systems)
Created
2021-09-01
Data Sources
windowsWMI Events
Platforms
windows
Tags
attack.privilege-escalationattack.executionattack.t1047attack.persistenceattack.t1546.003
Raw Content
title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
falsepositives:
- Unknown
level: high