Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.
Attacker's Goals
The attacker is trying to gain Persistence via WMI script registration.
Investigative actions
- Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it.
- Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get
- ".