Scrcons.exe Rare Child Process

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

Attacker's Goals

The attacker is trying to gain Persistence via WMI script registration.

Investigative actions

  • Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it.
  • Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get
  • ".

Variations

Scrcons.exe Rare Child Process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

Attacker's Goals

The attacker is trying to gain Persistence via WMI script registration.

Investigative actions

  • Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it.
  • Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get
  • ".