Potential Remote WMI ActiveScriptEventConsumers Activity

    Wednesday, September 18, 2024 In: Threat Research Print

    Date: 09/18/2024

    Severity: Medium

    Summary

    Identify potential adversaries using WMI ActiveScriptEventConsumers remotely to move laterally within a network. This event is best correlated and serves as valuable enrichment to assess possible lateral movement activities.

    Indicators of Compromise (IOC) List

    EventID

    4624

    LogonType

    3

    ProcessName

    'scrcons.exe'

    TargetLogonId

    '0x3e7'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((Resourcename = "Windows Security"  AND eventtype = "4624"  ) AND logontype = "3"  ) AND targetlogonid not like  "0x3e7"  ) AND winmessage like "scrcons.exe"

    Detection Query 2

    ((technologygroup = "EDR"  AND logontype = "3"  ) AND targetlogonid not like  "0x3e7"  ) AND winmessage like "scrcons.exe"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml 


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.