sigmamediumHunting

Potential Remote WMI ActiveScriptEventConsumers Activity

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.

MITRE ATT&CK

T1546.003

lateral-movementprivilege-escalationpersistence

Detection Query

selection:
  EventID: 4624
  LogonType: 3
  ProcessName|endswith: scrcons.exe
filter_main_local_system:
  TargetLogonId: "0x3e7"
condition: selection and not 1 of filter_main_*

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Created

2020-09-02

Data Sources

windowssecurity

Platforms

windows

References

https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html

Tags

attack.lateral-movementattack.privilege-escalationdetection.threat-huntingattack.persistenceattack.t1546.003

Raw Content

title: Potential Remote WMI ActiveScriptEventConsumers Activity
id: 9599c180-e3a8-4743-8f92-7fb96d3be648
status: test
description: |
    Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
    This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
references:
    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2024-09-02
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - detection.threat-hunting
    - attack.persistence
    - attack.t1546.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        ProcessName|endswith: 'scrcons.exe'
    filter_main_local_system:
        TargetLogonId: '0x3e7' # Local System
    condition: selection and not 1 of filter_main_*
falsepositives:
    - SCCM
level: medium