Skip to content

Hide Navigation Hide TOC

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load (b439f47d-ef52-4b29-9a2f-57d8a96cb6b8)

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Cluster A Galaxy A Cluster B Galaxy B Level
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load (b439f47d-ef52-4b29-9a2f-57d8a96cb6b8) Sigma-Rules Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 2